Window Size 55808 packets

Published: 2003-06-22
Last Updated: 2003-06-23 22:20:37 UTC
by Handlers (Version: 1)
0 comment(s)
For a month now, systems world wide are detecting an increase of packets
which have the TCP option "Window Size" set to 55808 bytes. The source IP
appears to be spoofed on all packets.

As part of a TCP connection, the receiver can advertise a "window size". The
sender will not wait for an 'ACK' until the window size is reached. As a
result, larger chunks of data can be transfered faster.

The larger the available bandwidth, or the larger the latency, the larger the
window size one should chose. The largest possible window size is 65535 bytes.
A window size as large as 58808 bytes is only useful on a very high bandwidth,
or a high latency connection [1].

So far, it is not clear what purpose these packets have. A tool was found which
appears to send packets with a window size of 58808 bytes[2] . Its intent
appears to be distributed scanning. The idea is to send packets with random
source IPs to random hosts. The replies (if any) would be detected by another
host infected with identical malware. The detector would identify the packet
by its odd window size.

However, if this is the intent of the code, it is not performing this function
very well. We found that a particular target is only hit at a given single port.
The distribution of target ports does not show a bias to frequently used ports.

The data available to the Internet Storm Center does usually not include TCP
options. However, some submitters sent more details. About 3% of the data
submitted with with window size information had a window size of 58808 bytes.

The number of packets increases exponentially, indicating some kind of
propagation mechanism.

Graph #1: Number of packets intercepted each day

http://isc.sans.org/diaryimages/win58808bydate.png

The TTL distribution implies an initial TTL of 128, which is typical for
Windows systems. The code analyzed by Intrusec was captured on a Linux system.
But default TTLs are easily adjusted and the analysis points out that the code
could be ported to Windows.

Graph #2: TTL distribution

http://isc.sans.org/diaryimages/ttlvalues.png

Graph #3: Number of target IPs and presumable spoofed source IPs per day

http://isc.sans.org/diaryimages/sourcestargets.png

[1] W. Richard Stevens, TCP/IP Illustrated, pages 282ff

[2] http://www.intrusec.com/55808.html
[3] http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441
Keywords:
0 comment(s)

Comments


Diary Archives