Re: client's TCP port 256 hammered by several hosts

[Chris Brenton <cbrenton () chrisbrenton org>]

On Fri, 2003-11-07 at 13:20, gerry wrote:
> suddenly, one of our lan client (win2k novell client) machine's tpc port 256 is being flooded with packets from other 
> lan pcs and our netware (5.1) server.
> anyone have an idea what would cause this or, better yet, how to eliminate all the excess traffic.

Well that's a weird one. Its a little hard to follow your traces as you
hid your internal private addresses, but...

> 11/04-08:31:14.843754 192.168.x.x:2056 -> 192.168.x.x:256
> TCP TTL:128 TOS:0x0 ID:10634 IpLen:20 DgmLen:48 DF
> ******S* Seq: 0x1E6E9152  Ack: 0x0  Win: 0x2000  TcpLen: 28
> TCP Options (4) => MSS: 1460 NOP NOP SackOK 
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

So its a Windows box on the same LAN as the client hitting TCP/256. The
only use for this port that I'm aware of is FW-1 (the port is registered
to some app called "RAP" but it appears the app has never actually been
used on the wire). FW-1 uses this port to sync its state tables. I think
we can rule this out as a possible due to the second trace.

Also, source port of 2056 is kind of weird since the target is 256.
Could be a coincidence (would need to see more traces to see if its
consistent), but a bit odd. 

Note the size of the TCP header. There is 8 extra bytes of data. Might
be worth a full decode just to see what they are.

> 11/04-08:31:14.843779 192.168.x.x:256 -> 192.168.x.x:2056
> TCP TTL:128 TOS:0x0 ID:62405 IpLen:20 DgmLen:40
> ***A*R** Seq: 0x0  Ack: 0x1E6E9153  Win: 0x0  TcpLen: 20
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

I assume this is the client getting flooded? If so, it appears the
service is not offered which makes this even weirder.

so you have dissimilar operating systems transmitting to a closed port.
Sounds a bit odd. I almost wonder if its not actually a single host
generating the traffic and the source IP (and possibly the MAC) is
spoofed. 

Do you have a switch that you can resent interface statistics on and
verify that that this traffic is in fact coming from the true source
addresses?

HTH,
C



---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------