Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Spoofed packets with Window Size 6667: Anybody else seeing this? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spoofed packets with Window Size 6667: Anybody else seeing this?

Thanks to Tim for providing some packet captures. Anybody else seeing "weird" TCP packets? In particular we are interested if you see them OUTBOUND. We are looking for the likely broken tool that may generate these packets.

Some of the packet properties:

  • Packet size of 60 bytes (IP Headers + TCP)
  • Protocol is always TCP
  • various TOS values
  • various (random?) IP IDs. But repeating for same source IP
  • various TTLs (possible that packets from different IPs actually originate from different host)
  • DF flag is set
  • some source IPs are clearly "odd", e.g. multicast?source IPs like 255.127.0.0
  • TCP source and dest port is 0
  • Sequence numbers sometimes repeat even if source IPs change (argument for likely spoofed sources)
  • overall malformed TCP headers (e.g. header size < 20, various bad flag combinations).
  • Window size of 6667 (maybe this was supposed to be the source or dest. port?)
  • The packets arrive at relatively high rate (couple packets/sec with breaks... )

Quick tshark?output?of a sample with obfuscated target IP:

85.133.23.50 -> x.y.z.14 TCP 74 [TCP Retransmission] 0?0 [SYN, RST, ACK, URG, ECN, CWR, NS, Reserved] Seq=0 Ack=1 Win=6667 Urg=0 Len=0
85.133.23.50 -> x.y.z.14 TCP 74 [TCP Retransmission] 0?0 [SYN, RST, ACK, URG, ECN, CWR, NS, Reserved] Seq=0 Ack=1 Win=6667 Urg=0 Len=0
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.99.37.41 -> x.y.z.119 TCP 74 [TCP Retransmission] 0?0 [FIN, SYN, RST, PSH, URG, CWR, NS, Reserved] Seq=0 Win=6667 Urg=0 Len=16
192.95.30.185 -> x.y.z.24 TCP 74 0?0 [FIN, PSH, ACK, URG, ECN, Reserved] Seq=1 Ack=1 Win=6667, bogus TCP header length (0, must be at least 20)
137.118.96.23 -> x.y.z.70 TCP 74 0?0 [FIN, SYN, RST, PSH, URG, ECN, CWR, NS, Reserved] Seq=0 Win=6667, bogus TCP header length (12, must be at least 20)

Internet Protocol Version 4, Src: 137.118.96.23 (137.118.96.23), Dst: x.y.z.70 (x.y.z.70)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0001 00.. = Differentiated Services Codepoint: Unknown (0x04)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 60
Identification: 0xa2c7 (41671)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 49
Protocol: TCP (6)
Header checksum: 0x0cde [validation disabled]
[Good: False]
[Bad: False]
Source: 137.118.96.23 (137.118.96.23)
Destination: x.y.z.70
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 0
Source Port: 0 (0)
Destination Port: 0 (0)
[Stream index: 872]
[TCP Segment Len: 28]
Sequence number: 0?(relative sequence number)
Header Length: 12 bytes (bogus, must be at least 20)

09:16:46.687528 IP 137.118.96.23.0 > x.y.z.70.0: tcp 28 [bad hdr length 12 - too short, < 20]
0x0000: 4510 003c a2c7 4000 3106 0cde 8976 6017 E..<..@.1....v`.
0x0010: xxyy zz46 0000 0000 c0f1 59ce 0000 0000 .3.F......Y.....
0x0020: 3bef 1a0b ff7f 0000 6cf6 2346 0000 0000 ;.......l.#F....
0x0030: 0000 0000 0000 0000 a002 7d78..........}x

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022

 Johannes

4511 Posts
ISC Handler
Oct 6th 2014
Thread locked Subscribe Oct 6th 2014
7 years ago
ditto yesterday, sourceIP = 186.202.136.193.0
 Anonymous
Quote Oct 7th 2014
7 years ago
Hi Johannes,
we saw these pakets also the last 24h at our IPS. If you like I can upload some captures. They stopped as quickly as the started.

cheers
Niko
 Nik

4 Posts
Quote Oct 7th 2014
7 years ago
Hi Niko,

We saw the same, appreciate if you can share some captures. Did anybody find out what was the root cause or what triggered it.

Thanks
Riz
 Nik
1 Posts
Quote Oct 8th 2014
7 years ago
If you look at the packet, there is a string at the end that is unique to all the tcp0 scan packets. "a002 7d78" I found this string in many of the packets from IP's generating this traffic. Searching this string, I found a report from the CERT in Poland reporting this same traffic pattern in late 2011. http://www.cert.pl/PDF/Report_CP_2011.pdf
 Nik
1 Posts
Quote Oct 8th 2014
7 years ago
We had the same signature at Comcast. This brought down a bunch of our static IP customers. Seems as though some routing engines on home routers are not too happy with malformed packets. Still trying to replicate the packet in the lab with Ixia but I don't have the payload info for the packet. Any captures would be nice.

Please send them too me.

Regards,

Will
 Willz

1 Posts
Quote Oct 9th 2014
7 years ago
Will,

What kind of gateways are you running?

I have heard some rumblings that these packets have affected some Dlink SOHO gear and one Cisco Enterprise device. I don't have any concrete data to back that up yet though.

If you don't feel comfortable with putting it out there, and are willing to share, please contact me on rwanner@isc.sans.edu.

Thanks!
Rick
 Rick

324 Posts
ISC Handler
Quote Oct 10th 2014
7 years ago
Saw the same signatures six days ago. Logged in and tried to respond but ended up on an error page. Have pcaps from two sites, uploaded to handlers in the evening 6th Oct (UTC+2).

//Jan
 JanS

10 Posts
Quote Oct 12th 2014
7 years ago
Looking for additional info as well, was just attacked via same/similar vector. TCP src/dst port is 0, 6667 window size, with lots of 'invalid-tcp-hdr-length'... 99% of All tcp headers were invalid, but most of their sizes are 44bytes, while the others are 48/52/56 bytes.

a couple packets are shown below...changed src/dst ip's...


No. Time Source Destination Protocol Length Info
25 0.000198 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [RST, PSH, CWR, Reserved] Seq=1540996429 Win=6667[Malformed Packet]

Frame 25: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 2]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 44 bytes
Flags: 0x68c (RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]

No. Time Source Destination Protocol Length Info
26 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, URG, ECN, Reserved] Seq=1540996429 Win=6667 Urg=0[Malformed Packet]

Frame 26: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 60 bytes
Flags: 0xe62 (SYN, URG, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
Urgent pointer: 0
[Malformed Packet: TCP]

No. Time Source Destination Protocol Length Info
27 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, RST, ACK, ECN, Reserved] Seq=3237042638 Ack=0 Win=6667[Malformed Packet]

Frame 27: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3237042638, Ack: 0
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 3237042638
Acknowledgment number: 0
Header length: 48 bytes
Flags: 0xc56 (SYN, RST, ACK, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]

No. Time Source Destination Protocol Length Info
28 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [URG, ECN, CWR, NS, Reserved] Seq=3281651313 Win=6667, bogus TCP header length (8, must be at least 20)

Frame 28: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3281651313
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
Sequence number: 3281651313
Header length: 8 bytes (bogus, must be at least 20)

No. Time Source Destination Protocol Length Info
29 0.000228 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [FIN, SYN, RST, PSH, CWR, Reserved] Seq=1054004090 Win=6667[Malformed Packet]

Frame 29: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1054004090
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 4]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1054004090
Header length: 60 bytes
Flags: 0x88f (FIN, SYN, RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
 JanS
2 Posts
Quote Oct 21st 2014
7 years ago
Looking for additional info as well, was just attacked via same/similar vector. TCP src/dst port is 0, 6667 window size, with lots of 'invalid-tcp-hdr-length'... 99% of All tcp headers were invalid, but most of their sizes are 44bytes, while the others are 48/52/56 bytes.

a couple packets are shown below...changed src/dst ip's...


No. Time Source Destination Protocol Length Info
25 0.000198 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [RST, PSH, CWR, Reserved] Seq=1540996429 Win=6667[Malformed Packet]

Frame 25: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 2]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 44 bytes
Flags: 0x68c (RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
[Window size scaling factor: -1 (unknown)]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]

No. Time Source Destination Protocol Length Info
26 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, URG, ECN, Reserved] Seq=1540996429 Win=6667 Urg=0[Malformed Packet]

Frame 26: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1540996429
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1540996429
Header length: 60 bytes
Flags: 0xe62 (SYN, URG, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
Urgent pointer: 0
[Malformed Packet: TCP]

No. Time Source Destination Protocol Length Info
27 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [SYN, RST, ACK, ECN, Reserved] Seq=3237042638 Ack=0 Win=6667[Malformed Packet]

Frame 27: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3237042638, Ack: 0
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 3237042638
Acknowledgment number: 0
Header length: 48 bytes
Flags: 0xc56 (SYN, RST, ACK, ECN, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]

No. Time Source Destination Protocol Length Info
28 0.000213 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [URG, ECN, CWR, NS, Reserved] Seq=3281651313 Win=6667, bogus TCP header length (8, must be at least 20)

Frame 28: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 3281651313
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 3]
Sequence number: 3281651313
Header length: 8 bytes (bogus, must be at least 20)

No. Time Source Destination Protocol Length Info
29 0.000228 192.168.1.1 123.123.123.123 TCP 74 0 > 0 [FIN, SYN, RST, PSH, CWR, Reserved] Seq=1054004090 Win=6667[Malformed Packet]

Frame 29: 74 bytes on wire (592 bits), 74 bytes captured (592 bits)
Ethernet II, Src: Cisco_9a:a9:00 (e8:40:40:9a:a9:00), Dst: Cisco_5b:1c:6d (54:75:d0:5b:1c:6d)
Internet Protocol Version 4, Src: 192.168.1.1 (192.168.1.1), Dst: 123.123.123.123 (123.123.123.123)
Transmission Control Protocol, Src Port: 0 (0), Dst Port: 0 (0), Seq: 1054004090
Source port: 0 (0)
Destination port: 0 (0)
[Stream index: 4]
[Short segment. Segment/fragment does not contain a full TCP header (might be NMAP or someone else deliberately sending unusual packets)]
Sequence number: 1054004090
Header length: 60 bytes
Flags: 0x88f (FIN, SYN, RST, PSH, CWR, Reserved)
Window size value: 6667
[Calculated window size: 6667]
Checksum: 0x0000 [validation disabled]
[Malformed Packet: TCP]
 JanS
2 Posts
Quote Oct 21st 2014
7 years ago
Quoting Rick:Will,
I have heard some rumblings that these packets have affected some Dlink SOHO gear and one Cisco Enterprise device. I don't have any concrete data to back that up yet though.


I know it's not confirmed or anything, but can you elaborate on the one Cisco Ent. device you mentioned?
 JDoe

5 Posts
Quote Oct 22nd 2014
7 years ago

Sign Up for Free or Log In to start participating in the conversation!