Thanks to Tim for providing some packet captures. Anybody else seeing "weird" TCP packets? In particular we are interested if you see them OUTBOUND. We are looking for the likely broken tool that may generate these packets. Some of the packet properties:
Quick tshark?output?of a sample with obfuscated target IP:
Internet Protocol Version 4, Src: 137.118.96.23 (137.118.96.23), Dst: x.y.z.70 (x.y.z.70)
--- |
Johannes 4511 Posts ISC Handler Oct 6th 2014 |
Thread locked Subscribe |
Oct 6th 2014 7 years ago |
ditto yesterday, sourceIP = 186.202.136.193.0
|
Anonymous |
Quote |
Oct 7th 2014 7 years ago |
Hi Johannes,
we saw these pakets also the last 24h at our IPS. If you like I can upload some captures. They stopped as quickly as the started. cheers Niko |
Nik 4 Posts |
Quote |
Oct 7th 2014 7 years ago |
Hi Niko,
We saw the same, appreciate if you can share some captures. Did anybody find out what was the root cause or what triggered it. Thanks Riz |
Nik 1 Posts |
Quote |
Oct 8th 2014 7 years ago |
If you look at the packet, there is a string at the end that is unique to all the tcp0 scan packets. "a002 7d78" I found this string in many of the packets from IP's generating this traffic. Searching this string, I found a report from the CERT in Poland reporting this same traffic pattern in late 2011. http://www.cert.pl/PDF/Report_CP_2011.pdf
|
Nik 1 Posts |
Quote |
Oct 8th 2014 7 years ago |
We had the same signature at Comcast. This brought down a bunch of our static IP customers. Seems as though some routing engines on home routers are not too happy with malformed packets. Still trying to replicate the packet in the lab with Ixia but I don't have the payload info for the packet. Any captures would be nice.
Please send them too me. Regards, Will |
Willz 1 Posts |
Quote |
Oct 9th 2014 7 years ago |
Will,
What kind of gateways are you running? I have heard some rumblings that these packets have affected some Dlink SOHO gear and one Cisco Enterprise device. I don't have any concrete data to back that up yet though. If you don't feel comfortable with putting it out there, and are willing to share, please contact me on rwanner@isc.sans.edu. Thanks! Rick |
Rick 324 Posts ISC Handler |
Quote |
Oct 10th 2014 7 years ago |
Saw the same signatures six days ago. Logged in and tried to respond but ended up on an error page. Have pcaps from two sites, uploaded to handlers in the evening 6th Oct (UTC+2).
//Jan |
JanS 10 Posts |
Quote |
Oct 12th 2014 7 years ago |
Looking for additional info as well, was just attacked via same/similar vector. TCP src/dst port is 0, 6667 window size, with lots of 'invalid-tcp-hdr-length'... 99% of All tcp headers were invalid, but most of their sizes are 44bytes, while the others are 48/52/56 bytes.
a couple packets are shown below...changed src/dst ip's... No. Time Source Destination Protocol Length Info 25 0.000198 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [RST, PSH, CWR, Reserved] Seq=1540996429 Win=6667[Malformed Packet] Frame 25: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429 Source port: 0 (0) Destination port: 0 (0) [Stream index: 2] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 1540996429 Header length: 44 bytes Flags: 0x68c (RST, PSH, CWR, Reserved) Window size value: 6667 [Calculated window size: 6667] [Window size scaling factor: -1 (unknown)] Checksum: 0x0000 [validation disabled] [Malformed Packet: TCP] No. Time Source Destination Protocol Length Info 26 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, URG, ECN, Reserved] Seq=1540996429 Win=6667 Urg=0[Malformed Packet] Frame 26: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429 Source port: 0 (0) Destination port: 0 (0) [Stream index: 3] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 1540996429 Header length: 60 bytes Flags: 0xe62 (SYN, URG, ECN, Reserved) Window size value: 6667 [Calculated window size: 6667] Checksum: 0x0000 [validation disabled] Urgent pointer: 0 [Malformed Packet: TCP] No. Time Source Destination Protocol Length Info 27 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, RST, ACK, ECN, Reserved] Seq=3237042638 Ack=0 Win=6667[Malformed Packet] Frame 27: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3237042638, Ack: 0 Source port: 0 (0) Destination port: 0 (0) [Stream index: 3] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 3237042638 Acknowledgment number: 0 Header length: 48 bytes Flags: 0xc56 (SYN, RST, ACK, ECN, Reserved) Window size value: 6667 [Calculated window size: 6667] Checksum: 0x0000 [validation disabled] [Malformed Packet: TCP] No. Time Source Destination Protocol Length Info 28 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [URG, ECN, CWR, NS, Reserved] Seq=3281651313 Win=6667, bogus TCP header length (8, must be at least 20) Frame 28: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3281651313 Source port: 0 (0) Destination port: 0 (0) [Stream index: 3] Sequence number: 3281651313 Header length: 8 bytes (bogus, must be at least 20) No. Time Source Destination Protocol Length Info 29 0.000228 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [FIN, SYN, RST, PSH, CWR, Reserved] Seq=1054004090 Win=6667[Malformed Packet] Frame 29: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1054004090 Source port: 0 (0) Destination port: 0 (0) [Stream index: 4] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 1054004090 Header length: 60 bytes Flags: 0x88f (FIN, SYN, RST, PSH, CWR, Reserved) Window size value: 6667 [Calculated window size: 6667] Checksum: 0x0000 [validation disabled] [Malformed Packet: TCP] |
JanS 2 Posts |
Quote |
Oct 21st 2014 7 years ago |
Looking for additional info as well, was just attacked via same/similar vector. TCP src/dst port is 0, 6667 window size, with lots of 'invalid-tcp-hdr-length'... 99% of All tcp headers were invalid, but most of their sizes are 44bytes, while the others are 48/52/56 bytes.
a couple packets are shown below...changed src/dst ip's... No. Time Source Destination Protocol Length Info 25 0.000198 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [RST, PSH, CWR, Reserved] Seq=1540996429 Win=6667[Malformed Packet] Frame 25: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429 Source port: 0 (0) Destination port: 0 (0) [Stream index: 2] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 1540996429 Header length: 44 bytes Flags: 0x68c (RST, PSH, CWR, Reserved) Window size value: 6667 [Calculated window size: 6667] [Window size scaling factor: -1 (unknown)] Checksum: 0x0000 [validation disabled] [Malformed Packet: TCP] No. Time Source Destination Protocol Length Info 26 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, URG, ECN, Reserved] Seq=1540996429 Win=6667 Urg=0[Malformed Packet] Frame 26: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429 Source port: 0 (0) Destination port: 0 (0) [Stream index: 3] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 1540996429 Header length: 60 bytes Flags: 0xe62 (SYN, URG, ECN, Reserved) Window size value: 6667 [Calculated window size: 6667] Checksum: 0x0000 [validation disabled] Urgent pointer: 0 [Malformed Packet: TCP] No. Time Source Destination Protocol Length Info 27 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, RST, ACK, ECN, Reserved] Seq=3237042638 Ack=0 Win=6667[Malformed Packet] Frame 27: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3237042638, Ack: 0 Source port: 0 (0) Destination port: 0 (0) [Stream index: 3] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 3237042638 Acknowledgment number: 0 Header length: 48 bytes Flags: 0xc56 (SYN, RST, ACK, ECN, Reserved) Window size value: 6667 [Calculated window size: 6667] Checksum: 0x0000 [validation disabled] [Malformed Packet: TCP] No. Time Source Destination Protocol Length Info 28 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [URG, ECN, CWR, NS, Reserved] Seq=3281651313 Win=6667, bogus TCP header length (8, must be at least 20) Frame 28: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3281651313 Source port: 0 (0) Destination port: 0 (0) [Stream index: 3] Sequence number: 3281651313 Header length: 8 bytes (bogus, must be at least 20) No. Time Source Destination Protocol Length Info 29 0.000228 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [FIN, SYN, RST, PSH, CWR, Reserved] Seq=1054004090 Win=6667[Malformed Packet] Frame 29: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d) Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123) Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1054004090 Source port: 0 (0) Destination port: 0 (0) [Stream index: 4] [Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)] Sequence number: 1054004090 Header length: 60 bytes Flags: 0x88f (FIN, SYN, RST, PSH, CWR, Reserved) Window size value: 6667 [Calculated window size: 6667] Checksum: 0x0000 [validation disabled] [Malformed Packet: TCP] |
JanS 2 Posts |
Quote |
Oct 21st 2014 7 years ago |
Quoting Rick:Will, I know it's not confirmed or anything, but can you elaborate on the one Cisco Ent. device you mentioned? |
JDoe 5 Posts |
Quote |
Oct 22nd 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!