Spoofed packets with Window Size 6667: Anybody else seeing this?
Thanks to Tim for providing some packet captures. Anybody else seeing "weird" TCP packets? In particular we are interested if you see them OUTBOUND. We are looking for the likely broken tool that may generate these packets.
Some of the packet properties:
- Packet size of 60 bytes (IP Headers + TCP)
- Protocol is always TCP
- various TOS values
- various (random?) IP IDs. But repeating for same source IP
- various TTLs (possible that packets from different IPs actually originate from different host)
- DF flag is set
- some source IPs are clearly "odd", e.g. multicast?source IPs like 255.127.0.0
- TCP source and dest port is 0
- Sequence numbers sometimes repeat even if source IPs change (argument for likely spoofed sources)
- overall malformed TCP headers (e.g. header size < 20, various bad flag combinations).
- Window size of 6667 (maybe this was supposed to be the source or dest. port?)
- The packets arrive at relatively high rate (couple packets/sec with breaks... )
Quick tshark?output?of a sample with obfuscated target IP:
85.133.23.50 -> x.y.z.14 TCP 74 [TCP Retransmission] 0?0 [SYN, RST, ACK, URG, ECN, CWR, NS, Reserved] Seq=0 Ack=1 Win=6667 Urg=0 Len=0
85.133.23.50 -> x.y.z.14 TCP 74 [TCP Retransmission] 0?0 [SYN, RST, ACK, URG, ECN, CWR, NS, Reserved] Seq=0 Ack=1 Win=6667 Urg=0 Len=0
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.95.30.185 -> x.y.z.24 TCP 74 0?0 [FIN, PSH, ACK, URG, ECN, Reserved] Seq=1 Ack=1 Win=6667, bogus TCP header length (0, must be at least 20)
137.118.96.23 -> x.y.z.70 TCP 74 0?0 [FIN, SYN, RST, PSH, URG, ECN, CWR, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, must be at least 20)
Internet Protocol Version 4, Src: 137.118.96.23 (137.118.96.23), Dst: x.y.z.70 (x.y.z.70)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 60
Identification: 0xa2c7 (41671)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 49
Protocol: TCP (6)
Header checksum: 0x0cde [validation disabled]
[Good: False]
[Bad: False]
Source: 137.118.96.23 (137.118.96.23)
Destination: x.y.z.70
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 0
Source Port: 0 (0)
Destination Port: 0 (0)
[Stream index: 872]
[TCP Segment Len: 28]
Sequence number: 0?(relative sequence number)
Header Length: 12 bytes (bogus, must be at least 20)
09:16:46.687528 IP 137.118.96.23.0 > x.y.z.70.0: tcp 28 [bad hdr length 12 - too short, < 20]
0x0000: 4510 003c a2c7 4000 3106 0cde 8976 6017 E..<..@.1....v`.
0x0010: xxyy zz46 0000 0000 c0f1 59ce 0000 0000 .3.F......Y.....
0x0020: 3bef 1a0b ff7f 0000 6cf6 2346 0000 0000 ;.......l.#F....
0x0030: 0000 0000 0000 0000 a002 7d78..........}x
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Oct 7th 2014
9 years ago
we saw these pakets also the last 24h at our IPS. If you like I can upload some captures. They stopped as quickly as the started.
cheers
Niko
Anonymous
Oct 7th 2014
9 years ago
We saw the same, appreciate if you can share some captures. Did anybody find out what was the root cause or what triggered it.
Thanks
Riz
Anonymous
Oct 8th 2014
9 years ago
Anonymous
Oct 8th 2014
9 years ago
Please send them too me.
Regards,
Will
Anonymous
Oct 9th 2014
9 years ago
What kind of gateways are you running?
I have heard some rumblings that these packets have affected some Dlink SOHO gear and one Cisco Enterprise device. I don't have any concrete data to back that up yet though.
If you don't feel comfortable with putting it out there, and are willing to share, please contact me on rwanner@isc.sans.edu.
Thanks!
Rick
Anonymous
Oct 10th 2014
9 years ago
//Jan
Anonymous
Oct 12th 2014
9 years ago
a couple packets are shown below...changed src/dst ip's...
No. Time Source Destination Protocol Length Info
25 0.000198 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [RST, PSH, CWR, Reserved] Seq=1540996429 Win=6667[Malformed Packet]
Frame 25: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 2]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 44 bytes
Flags: 0x68c (RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
No. Time Source Destination Protocol Length Info
26 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, URG, ECN, Reserved] Seq=1540996429 Win=6667 Urg=0[Malformed Packet]
Frame 26: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 60 bytes
Flags: 0xe62 (SYN, URG, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
Urgent pointer: 0
[Malformed Packet: TCP]
No. Time Source Destination Protocol Length Info
27 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, RST, ACK, ECN, Reserved] Seq=3237042638 Ack=0 Win=6667[Malformed Packet]
Frame 27: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3237042638, Ack: 0
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 3237042638
Acknowledgment number: 0
Header length: 48 bytes
Flags: 0xc56 (SYN, RST, ACK, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
No. Time Source Destination Protocol Length Info
28 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [URG, ECN, CWR, NS, Reserved] Seq=3281651313 Win=6667, bogus TCP header length (8, must be at least 20)
Frame 28: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3281651313
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
Sequence number: 3281651313
Header length: 8 bytes (bogus, must be at least 20)
No. Time Source Destination Protocol Length Info
29 0.000228 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [FIN, SYN, RST, PSH, CWR, Reserved] Seq=1054004090 Win=6667[Malformed Packet]
Frame 29: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1054004090
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 4]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1054004090
Header length: 60 bytes
Flags: 0x88f (FIN, SYN, RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
Anonymous
Oct 21st 2014
9 years ago
a couple packets are shown below...changed src/dst ip's...
No. Time Source Destination Protocol Length Info
25 0.000198 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [RST, PSH, CWR, Reserved] Seq=1540996429 Win=6667[Malformed Packet]
Frame 25: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 2]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 44 bytes
Flags: 0x68c (RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
No. Time Source Destination Protocol Length Info
26 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, URG, ECN, Reserved] Seq=1540996429 Win=6667 Urg=0[Malformed Packet]
Frame 26: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 60 bytes
Flags: 0xe62 (SYN, URG, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
Urgent pointer: 0
[Malformed Packet: TCP]
No. Time Source Destination Protocol Length Info
27 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, RST, ACK, ECN, Reserved] Seq=3237042638 Ack=0 Win=6667[Malformed Packet]
Frame 27: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3237042638, Ack: 0
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 3237042638
Acknowledgment number: 0
Header length: 48 bytes
Flags: 0xc56 (SYN, RST, ACK, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
No. Time Source Destination Protocol Length Info
28 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [URG, ECN, CWR, NS, Reserved] Seq=3281651313 Win=6667, bogus TCP header length (8, must be at least 20)
Frame 28: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3281651313
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
Sequence number: 3281651313
Header length: 8 bytes (bogus, must be at least 20)
No. Time Source Destination Protocol Length Info
29 0.000228 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [FIN, SYN, RST, PSH, CWR, Reserved] Seq=1054004090 Win=6667[Malformed Packet]
Frame 29: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1054004090
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 4]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1054004090
Header length: 60 bytes
Flags: 0x88f (FIN, SYN, RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
Anonymous
Oct 21st 2014
9 years ago
I have heard some rumblings that these packets have affected some Dlink SOHO gear and one Cisco Enterprise device. I don't have any concrete data to back that up yet though.
[/quote]
I know it's not confirmed or anything, but can you elaborate on the one Cisco Ent. device you mentioned?
Anonymous
Oct 22nd 2014
9 years ago