[127409] in North American Network Operators' Group
Re: Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on
daemon@ATHENA.MIT.EDU (John Kristoff)
Sun Jun 27 22:32:57 2010
Date: Sun, 27 Jun 2010 21:32:41 -0500
From: John Kristoff <jtk@cymru.com>
To: khatfield@socllc.net
In-Reply-To: <1277673771.085423881@192.168.2.228>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, 27 Jun 2010 17:22:51 -0400 (EDT)
khatfield@socllc.net wrote:
> Here is an example report we received from AT&T:
> 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP]
> (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26)
> (USI-amsxaid01) 04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP]
> (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09)
> (USI-amsxaid01) 04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP]
This looks like the trademark signature of back scatter as a result of
someone using the juno.c or derivative code to SYN flood a host. You
are most likely getting this traffic from a host that is getting
attacked. In the junos.c code you'll see this:
syn->sport = htons(1024 + (random() & 2048));
A random number is ANDed against 2048, the result is then added to
1024. What will be added is always either 0 or 2048, because 2048 has
only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only
ever equal 1024 or 3072. Or in your case, it shows up as the dport on
the way back.
John
