Re: Mysterios s...l...o...w SYN&FIN/FIN/NULL scan

[Joe Stewart <jstewart () LURHQ COM>]

Without actual packet dumps, this is all speculation, but it seems that
someone could be using hping in the following fashion, where aaa.bbb.ccc.ddd
is your webserver:

hping -k -s 5635 -S -F aaa.bbb.ccc.ddd
hping -k -s 5635 -F aaa.bbb.ccc.ddd
hping -k -s 5635 aaa.bbb.ccc.ddd

That would seem to generate the traffic you describe, but why they would want
to do that is still a mystery. I see two possible scenarios -

1. They are attempting to bounce a scan off of your server, but FROM, not
TO those ISP dialups. If the ISP dialups were the targets, you would be seeing
RST or SYN-ACK packets from them. So this traffic may how they obtain the IP
id from your host for use in determining the scan (hping prints the IP id,
ping doesn't). In this case you would be seeing RST or SYN-ACK from other
random hosts at the same time these probes occur.

2. Someone is using hping to check their net connectivity at given times, and
your webserver is an easy hostname to type.

Of course, neither of these theories explain the reason behind specifying
source port 5635.

-Joe

--
Joe Stewart
Information Security Analyst
LURHQ Corporation
==========================>
843-347-1075 ext. 303
jstewart () lurhq com



On Fri, 24 Nov 2000, mike.blomgren () ccnox com wrote:
> We have for the last several weeks been hit by a mysteriously slow
> scan. However, it isn't a regular portscan, and doesn't cause any
> problems  - other than that our IDS detects and logs them. We just
> don't know what it is, what they're looking for, and why it keeps
> coming...
>
> Key issues:
> * The the target machine is always the same.
> * The destination port is always 0.
> * The sourceport is always 5635.
> * The TCP Flags are one of 3 combinations: SYN & FIN, just FIN, or NULL
> (no flags set at all)
> * Here's the funny part: The source machine is always in one of three
> adjacent C-class adresses, eminating from a large European ISP. The
> Source IP's always resolve to a FQDN, obviuously belonging to some sort
> of dial-up (i.e. ppp132.dialup.<big ISP>.<same country as us>). (No,
> they have not responded to our queries.)
> * Each combination of the above, is seen only once. For example, if a
> specific src ip has sent three packets with one of each (SYN&FIN, FIN &
> NULL) - we don't see the same source IP again.
> * The packets usually come 3-4 at a time. Seldomely more than 15 in one
> burst. Each packet is usully a minute or so apart. Sometimes they have
> different src IP's, within the same 'burst'. The bursts range from
> roughly 12 to 72 hours between each.
> * The packets can come at any time of the day.
>
> The target is a unix based webbserver running a fairly large 'public'
> application. (Details can be sent offlist). Naturally it's behind a
> firewall, only allowing incoming HTTP & HTTPS.