Security Incidents mailing list archives

OS Fingerprinting or best route determination?

From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Thu, 8 Mar 2001 10:02:11 -0500

Hello,

Anyone have any idea what's going on here?  To me it looks like OS
Fingerprinting, minus the malformed packets.  We have a SYN to an open port,
an ACK to an open port, and a UDP packet to a closed port.  I've seen this
same combination (IP addresses, ports, timing) before, about 7 times in the
last 3 weeks.  194.133.58.129 resolves to bestroute1-t.alcatel.fr, which
leads me to believe it's an attempt to pinpoint a closest webserver or
something like that, but isn't this a little too intrusive for that?  Also,
why the second address (212.208.74.129) ?  Some sort of triangulation?

03/08-06:07:36.621657  [**] IDS28 - PING NMAP TCP [**] 194.133.58.129:80 ->
x.y.z.3:53
03/08-06:07:36.621916  [**] IDS07 - MISC-Source Port Traffic 53 TCP [**]
194.133.58.129:53 -> x.y.z.3:53
03/08-06:07:36.724300  [**] IDS07 - MISC-Source Port Traffic 53 TCP [**]
212.208.74.129:53 -> x.y.z.3:53

03/08-06:07:36  UDP 194.133.58.129:55 -> x.y.z.3:37852  (Firewall log)

[**] IDS28 - PING NMAP TCP [**]
03/08-06:07:36.621657 194.133.58.129:80 -> x.y.z.3:53
TCP TTL:48 TOS:0x0 ID:49468 IpLen:20 DgmLen:40
***A**** Seq: 0x251  Ack: 0x0  Win: 0x578  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS07 - MISC-Source Port Traffic 53 TCP [**]
03/08-06:07:36.621916 194.133.58.129:53 -> x.y.z.3:53
TCP TTL:48 TOS:0x0 ID:49469 IpLen:20 DgmLen:40
******S* Seq: 0x25312F43  Ack: 0x0  Win: 0x578  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] IDS07 - MISC-Source Port Traffic 53 TCP [**]
03/08-06:07:36.724300 212.208.74.129:53 -> x.y.z.3:53
TCP TTL:46 TOS:0x0 ID:49471 IpLen:20 DgmLen:40
******S* Seq: 0x253190EB  Ack: 0x0  Win: 0x578  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

The players:
194.133.58.129 -- bestroute1-t.alcatel.fr
route:       194.133.58.0/24
descr:       Alcanet
origin:      AS2917
mnt-by:      OLEANE-NOC
changed:     hostmaster () oleane net 20000302
source:      RIPE

212.208.74.129 -- doesn't resolve
inetnum:     212.208.74.0 - 212.208.74.255
netname:     ALCANET-NET1
descr:       ALCANET INTERNATIONAL
country:     FR
source:      RIPE


Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C

Current thread:

OS Fingerprinting or best route determination? Portnoy, Gary (Mar 08)
- <Possible follow-ups>
- Re: OS Fingerprinting or best route determination? Paul BOYER (Mar 23)