Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic onsystem
Excellent! Thanks John. We have seen this sort of signature before but we couldn't find the reference source in our library. I don't believe this is one we had. Thanks! Kevin ------Original Message------ From: John Kristoff To: Kevin Hatfield Cc: nanog@nanog.org Subject: Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic onsystem Sent: Jun 27, 2010 9:32 PM On Sun, 27 Jun 2010 17:22:51 -0400 (EDT) khatfield@socllc.net wrote:
Here is an example report we received from AT&T: 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP]
This looks like the trademark signature of back scatter as a result of someone using the juno.c or derivative code to SYN flood a host. You are most likely getting this traffic from a host that is getting attacked. In the junos.c code you'll see this: syn->sport = htons(1024 + (random() & 2048)); A random number is ANDed against 2048, the result is then added to 1024. What will be added is always either 0 or 2048, because 2048 has only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only ever equal 1024 or 3072. Or in your case, it shows up as the dport on the way back. John
participants (1)
-
khatfield@socllc.net