Odd Packets - SANS Internet Storm Center

Odd Packets
From the front line A number of sites have been seeing unusual SYN-ACK traffic coming from port 80, that at first glance appears to be backscatter from a DDoS attack. A closer look leaves us slightly puzzled. Note: these logs have been sanitized to protect the guilty and the innocent. 11:57:58.477497 IP (tos 0x0, ttl 112, id 32814, offset 0, flags [DF], length: 40) 10.10.10.103.80 > 192.168.154.177.41359: S [tcp sum ok] 2030205186:2030205186(0) ack 25686 win 65535 4500 0028 802e 4000 7006 1ad7 0a0a 0a67 c0a8 9ab1 0050 a18f 7902 7902 0000 6456 5b12 ffff 3ccd 0000 0000 0000 0000 12:09:05.651825 IP (tos 0x0, ttl 112, id 23183, offset 0, flags [DF], length: 40) 10.10.10.103.80 > 192.168.154.177.27772: SE [tcp sum ok] 1244547630:1244547630(0) ack 36086 win 65535 4500 0028 5a8f 4000 7006 4076 0a0a 0a67 c0a8 9ab1 0050 6c7c 4a2e 4a2e 0000 8cf6 5652 ffff aba8 0000 0000 0000 0000 12:45:12.480408 IP (tos 0x0, ttl 112, id 11525, offset 0, flags [DF], length: 40) 10.10.10.103.80 > 192.168.154.177.19647: SW [tcp sum ok] 1565220171:1565220171(0) ack 35766 win 65535 4500 0028 2d05 4000 7006 6e00 0a0a 0a67 c0a8 9ab1 0050 4cbf 5d4b 5d4b 0000 8bb6 5092 ffff ac2b 0000 0000 0000 0000 Some unusual patterns that a number of us have picked up on from the traffic: - Different combinations of the TCP reserved / ECN (Explicit Congestion Notification) flags set. If these were valid ECN SYN-ACKS, they would have only the SYN, ACK, and ECN-ECHO flags set. - The TCP Window size is maxed out on all the packets - Sequence numbers have definite pattern of repeating 2 bytes (4 hex characters), examples: Seq: 0x79027902 Seq: 0x4a2e4a2e Seq: 0x5d4b5d4b This is unusual, as these sequence numbers are coming from a host that initially you assume is suffering a DDoS attack. Has anyone seen this traffic? Got packets? Handler on Duty: Mike Poor <mike .at. intelguardians.com>	Mike 49 Posts May 8th 2004
Thread locked Subscribe	May 8th 2004 1 decade ago