Decoy scan?

["Portnoy, Gary" <gportnoy () belenosinc com>]

Greetings,

This is a somewhat lengthy post, so consider this a warning.  There is also
a question: Any idea which tool was used?

This morning 06/12/01, at around 02:26, Snort detected a portscan for port
21.  All in all, 82 packets from 3 different hosts: 
41 from 64.31.26.240 (11 unique hosts)
21 from 64.40.70.66 (13 unique hosts)
20 from 64.183.112.195 (5 unique hosts) * wasn't caught by portscan
preprocessor.

Sample packets for those interested:

06/12-02:26:04.645533 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3E
64.31.26.240:54688 -> MY.NET.165.15:21 TCP TTL:108 TOS:0x0 ID:62229 IpLen:20
DgmLen:48 DF
******S* Seq: 0x1D73AE11  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-02:26:03.541607 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x4A
64.40.70.66:2660 -> MY.NET.165.55:21 TCP TTL:45 TOS:0x0 ID:25297 IpLen:20
DgmLen:60 DF
******S* Seq: 0xAE74A16  Ack: 0x0  Win: 0x2000  TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 0 NOP NOP TS: 1165073 0 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

06/12-02:26:04.687238 0:2:4B:BC:B9:E0 -> 8:0:20:B8:F2:36 type:0x800 len:0x3C
64.183.112.195:3369 -> MY.NET.165.3:21 TCP TTL:107 TOS:0x0 ID:44205 IpLen:20
DgmLen:44 DF
******S* Seq: 0x33FBBD2  Ack: 0x0  Win: 0x2000  TcpLen: 24
TCP Options (1) => MSS: 1460 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Notice that the TCP Options are different.  Also note that the TTL's are the
same... Looks like different OS's. But I was considering crafted packets.

My interest was piqued...  
Trying to figure out the real TTL to/from these hosts:

64.31.26.240 > 12.27.165.62: icmp: echo reply (ttl 236, id 104) TTL:108 from
the scan
64.40.70.66 > 12.27.165.62: icmp: echo reply (ttl 236, id 17922)  TTL:45
from the scan 
64.183.112.195 > 12.27.165.62: icmp: echo reply (ttl 107, id 53169) TTL:107
from the scan

So, the only source that matches the TTL that I got was 64.183.112.195.  I
also decided to nmap -O them just for the heck of it.  Since one of the test
nmap does involves sending TCP options, I was very interested to see the
results...

64.31.26.240 Class=trivial time dependency.  Looks like windows to me...
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)  Only the MSS was set...
Doesn't match the packet in the scan with MSS and Sack...  Looks like this
one was crafted...

64.40.70.66 Class=random positive increments.  
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=MNWNNT)  Matches the options in
the scan packets..

64.183.112.195 Class=random positive increments.
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) Matches the options in the
scan packets..

So, based on the evidence: Only 1 TTL matches that of the packet in the
scan, and that same packet matches the TCP options returned by nmap, lead me
to believe that 64.183.112.195 is the originator of the scan, the other two
hosts being decoys.  More corraborating evidence: 64.183.112.195 only
scanned 5 unique hosts and wasn't picked up by snort's portscan
preprocessor.  Maybe they were trying to stay under the radar...

Did I overlook anything?  Any ideas what tool can generate decoy packets
with different options/TTLs, etc?  

Thanks
-Gary- 

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C