Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

more weird traceroutes

From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Tue, 2 May 2000 09:51:18 -0400

How about this.  A traceroute (sort of) masquarading as RingZero!
It started with this:

00:50:49.091588 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) (ttl 18, id 16384)
00:50:49.091774 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) (ttl 17, id 16384)
...
00:50:49.093137 212.209.62.2.1040 > 142.62.0.108.80: S 79134:79134(0) win 8192 <mss 1460> (DF) [ttl 1] (id 16384)

The above pattern was repeated a total of 4 times with only the ip id changing.
This was followed this (also repeated 4 times):

00:51:36.515153 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) (ttl 18, id 9986)
00:51:36.515310 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) (ttl 17, id 9986)
...
00:51:36.521579 212.209.62.2.1170 > 142.62.0.108.8080: S 126571:126571(0) win 8192 <mss 1460> (DF) [ttl 1] (id 9986)

and this (repeated 4 times):

00:52:24.638450 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) (ttl 18, id 14851)
00:52:24.638597 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) (ttl 17, id 14851)
...
00:52:24.640191 212.209.62.2.1248 > 142.62.0.108.3128: S 174756:174756(0) win 8192 <mss 1460> (DF) [ttl 1] (id 14851)

Also, TTL analysis shows either the source address is spoofed, or at least
that there is initial TTL trickery going on.

Don
Previous By Date Next
Previous By Thread Next

Current thread: