[127405] in North American Network Operators' Group
Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on
daemon@ATHENA.MIT.EDU (Matt Hite)
Sun Jun 27 17:37:05 2010
In-Reply-To: <1277673771.085423881@192.168.2.228>
Date: Sun, 27 Jun 2010 14:36:40 -0700
From: Matt Hite <lists@beatmixed.com>
To: khatfield@socllc.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Kevin,
Someone may want to throw RST traffic your way by spoofing their own
source (as you) and machine gunning TCP ACK or SYN packets to Internet
hosts such as this AT&T customer. Just a nice way of throwing traffic
at you in a fairly undetectable manner.
Just a guess,
-M
On Sun, Jun 27, 2010 at 2:22 PM, <khatfield@socllc.net> wrote:
> Folks,
> =A0We have a strange situation occurring lately where we are getting some=
reports of TCP Sweeps from some one of our IP's, yet the IP is one of many=
specifically configured for inbound traffic and do not emit outbound traff=
ic unless for response. Specifically, these are ddos mitigation IP's so the=
y are attacked fairly frequently. With this in mind, the last few days one =
of the IP's being reported has been under constant attack.
>
> Here is an example report we received from AT&T:
> 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D23,dp=3D1024,min=3D212.1.18=
5.6,max=3D212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01)
> 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D16,dp=3D3072,min=3D212.1.18=
9.1,max=3D212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01)
> 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D16,dp=3D1024,min=3D212.1.18=
8.1,max=3D212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01)
> 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D25,dp=3D1024,min=3D212.1.19=
0.11,max=3D212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01)
> 04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D18,dp=3D3072,min=3D212.1.18=
9.3,max=3D212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01)
> 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D34,dp=3D1024,min=3D212.1.19=
1.8,max=3D212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01)
> 04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=3D28,dp=3D3072,min=3D212.1.18=
6.6,max=3D213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01)
> ------------------------
> Report from DK*CERT:
> If nothing else mentioned below, timezone is believed to be UTC+0200(CEST=
)
> Destination address(es): Adresser i nettene 130.225.16.0/22 og 130.225.2.=
128/25
>
> Security logs:
> #Jun 27 18:13:40 2010 .. Jun 27 18:58:13 2010
> # Scan from x.x.x.x affecting at least
> # 81 addresses targeting TCP:1024, TCP:3072.
> #
> ------------------------
> I have removed our IP and replaced it with x.x.x.x. =A0To be a bit more c=
lear, this is a reverse-proxy IP address. This IP is in a NAT type configur=
ation where it is sent back to filtering clusters. No outbound traffic is c=
onfigured on these IP's except where requests / responses flow through it.
>
> I know a year or two ago there was a bug in Cisco IOS that would report a=
sweep when extreme packet load occurred or a burst hit. At the time of thi=
s report we saw an attack burst to around 310,000PPS on this IP (inbound). =
Is it simply likely the networks reporting have several IP's being used in =
the attack and that is what they are seeing? That's what we originally thou=
ght but the port scans throw that theory off... Our security team has gone =
through all PCAPs during the mentioned time frames and we are not showing a=
ny sort of outbound scan traffic.
>
> Any ideas why this would be showing as a sweep? Our IDS systems do not sc=
an requesting IP's originating systems. Any help is appreciated, we're simp=
ly trying to get to the bottom of the reports.
>
> Kevin
>
>
>
