Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Strange UDP Packets, Amazon.com and LATAM NIC Issues - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange UDP Packets, Amazon.com and LATAM NIC Issues

Strange UDP packets everywhere


A poster to the ISC sent us some strange UDP packets he had been seeing on his network. The first strange thing that comes to view is that all the fragments included in the traces are the last fragment of a fragment train, and all of them placed 25 bytes of data at offset 512 (which coincides with the maximum payload for DNS replies over UDP (eDNS not withstanding).

Here is some sample traffic that was posted to Dshield back in October, that perfectly matches what the current poster is seeing:


10:13:19.754558 83.102.166.48 > aa.bb.cc.71: (frag 25411:25@512) (ttl 55, len 45)
0x0000 4500 002d 6343 0040 3711 d0ca 5366 a630 E..-cC.@7...Sf.0
0x0010 3f95 1647 11ef 0035 0019 282d 71f7 0100 ?..G...5..(-q...
0x0020 0001 0000 0000 0000 0000 0200 016f .............o
10:13:20.674641 83.102.166.7 > aa.bb.cc.71: (frag 38795:25@512) (ttl 55, len 45)
0x0000 4500 002d 978b 0040 3711 9cab 5366 a607 E..-...@7...Sf..
0x0010 3f95 1647 11ef 0035 0019 2856 71f7 0100 ?..G...5..(Vq...
0x0020 0001 0000 0000 0000 0000 0200 0106 ..............
10:13:27.211002 83.102.166.33 > aa.bb.cc.71: (frag 9664:25@512) (ttl 55, len 45)
0x0000 4500 002d 25c0 0040 3711 0e5d 5366 a621 E..-%..@7..]Sf.!
0x0010 3f95 1647 11ef 0035 0019 283c 71f7 0100 ?..G...5..(<q...
0x0020 0001 0000 0000 0000 0000 0200 0148 .............H

Another odd thing is that all similar traffic we have seen is coming out of this same netblock 83.102.166.0/24 which belongs to corbina.net out of Russia.

Has anyone seen similar traffic? You can capture this traffic with the following tcpdump filter:

tcpdump {options to your liking} 'src net 83.102.166 and (ip[6] & 0x02 = 0 and ip[6:2] & 0x1fff !=0)'

If you see packets, please send them to the ISC.

Amazon.com having issues

Yesterday we had a number of reports of users having trouble reaching and working with Amazon.com. This story seems to have made headlines on CNN

http://www.cnn.com/2004/TECH/internet/12/06/amazon/index.html

After contacting Amazon, they mentioned that the site was experiencing back end database issues and that these issues should be resolved by today, Dec 8th.

LATAM NIC

In other news... Latin America's NIC was having issues resolving yesterday causing pain for some users in the .ar, .br and other Latin American TLD's.

CDI East begins this week

For those of you showing up for the grand CDI East (Dec 7-14) in Washington DC, Internet Storm Center handlers will be around giving talks, teaching class, and hanging out. Stop by and see us whereever strange packets may be...

over and out,

Mike Poor

mike [a|t] intelguardians.com
Mike

49 Posts

Sign Up for Free or Log In to start participating in the conversation!