[7204] in bugtraq
notes on Port scanning
daemon@ATHENA.MIT.EDU (Lloyd Vancil)
Thu Jul 9 16:10:57 1998
Date: Wed, 8 Jul 1998 16:06:51 -0700
Reply-To: Lloyd Vancil <lev@APPLE.COM>
From: Lloyd Vancil <lev@APPLE.COM>
To: BUGTRAQ@NETSPACE.ORG
Recently A spate of "portscanning attacks" have been attibuted to various
high traffic
sites ond servers on the net. Here is an observation.
Below is one of the "scanning packets". Specifically in this case the
tcp part of the packet has been replaced in such a way that you might
mistake it for a port scanning attack. It would certainly trip tcp
filters. This particular packet began life as a ligitimate email packet
in a stream between Apple's email server and the MIT email server. This
one packet in the stream was munged.
Specifically the entire tcp part of the packet has been replaced by 78 FF
02 14
repeated over and over again. The tcp header, everything.
This made it look like wierd things were happening
The sourceport is 30975 = hex 78ff
The Dest port is 532 = hex 214
The Initial sequence number and Acknowledgment number = 2029978132 =
78ff0214
The flags is set to ff
The Checksum = 78FF
The Urgent pointer is 532 = hex 214
You will notice the repeated pattern 78 FF 02 14
(the packet fragment is attached.)
We have determined that our equipment is not doing this and that it
occurs to a few packets in almost any stream. The pattern repeated is not
always 78ff0214. Because of filtering it was generating almost 65MB of
log files daily.
SO, here's the question.
If you sniff packets and capture this type of activity could you send
me a traceroute
from your establisment to the system that is "apparently"
"portscanning" you. The object here is to analyze the path over which
this is occuring to try to narrow down where it is happening.
Here is the traceroute for the path overwhich this particular packet
traveled.
1 LL-HUB.LL.MIT.EDU (129.55.10.1) 3.515 ms 4.265 ms 2.523 ms
2 lincoln-gw.near.net (129.55.15.2) 5.312 ms 5.129 ms 5.776 ms
3 cambridge2-cr3.bbnplanet.net (199.95.64.177) 61.448 ms 106.771 ms
132.239 ms
4 cambridge2-br2.bbnplanet.net (192.233.33.6) 23.658 ms 60.333 ms 10
ms
5 cambridge1-br1.bbnplanet.net (4.0.1.201) 14.073 ms 7.509 ms 8.525
ms
6 core10-hssi-1.SanFrancisco.mci.net (204.70.10.221) 13.952 ms 11.017
ms 19.617 ms
7 bordercore2.WillowSprings.mci.net (166.48.22.1) 36.64 ms 32.246 ms
67.459 ms
8 core2.Dallas.mci.net (204.70.4.69) 51.571 ms 50.028 ms 59.195 ms
9 borderx1-fddi-1.Dallas.mci.net (204.70.114.52) 54.696 ms 56.805 ms
64.161 ms
10 diamond-net.Dallas.mci.net (204.70.114.106) 71.301 ms 67.505 ms
59.686 ms
11 APPLE-1.DllsTX.savvis.net (209.44.32.2) 316.68 ms 142.599 ms
250.019 ms
12 209.44.33.18 (209.44.33.18) 97.149 ms 90.555 ms 91.014 ms
13 tre.apple.com (205.180.175.29) 407.373 ms 337.825 ms 106.116 ms
14 mail-out2.apple.com (17.254.0.51) 107.062 ms * 101.546 ms
The tcp part
TCP: ----- TCP header -----
TCP:
TCP: Source port = 30975
TCP: Destination port = 532 (Netnews)
TCP: Initial sequence number = 2029978132
TCP: Acknowledgment number = 2029978132
TCP: Data offset = 28 bytes
TCP: Flags = FF
TCP: ..1. .... = Urgent pointer
TCP: ...1 .... = Acknowledgment
TCP: .... 1... = Push
TCP: .... .1.. = Reset
TCP: .... ..1. = SYN
TCP: .... ...1 = FIN
TCP: Window = 532
TCP: Checksum = 78FF, should be E635
TCP: Urgent pointer = 532
TCP:
TCP: Options follow
TCP: Unknown option 120
TCP: 7 byte(s) of header padding
TCP: [504 byte(s) of data]
TCP:
ADDR HEX ASCII
0000 00 E0 14 7B 36 09 00 00 0C F8 17 49 08 00 45 00 ...{6......I..E.
0010 02 28 C2 35 00 00 2E 06 29 0B 11 FE 00 33 81 37 .(.5....)....3.7
0020 0C 28 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF .(x...x...x...x.
0030 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0040 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0050 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0060 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0070 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0080 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0090 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
00A0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
00B0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
00C0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
00D0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
00E0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
00F0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0100 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0110 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0120 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0130 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0140 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0150 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0160 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0170 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0180 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0190 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
01A0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
01B0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
01C0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
01D0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
01E0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
01F0 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0200 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0210 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0220 02 14 78 FF 02 14 78 FF 02 14 78 FF 02 14 78 FF ..x...x...x...x.
0230 02 14 78 FF 02 14 ..x...
lev@ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/ _/_/_/
searchmaster@ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/ _/_/_/ .com
_/_/_/_/ _/ _/ _/ _/
_/ _/ _/ _/ _/_/_/ _/_/_/
