[Intrusions] interesting DOS log
Rusma Mulyadi
rmulyadi at arizona.edu
Sat Oct 16 01:30:57 GMT 2004
We saw this DOS-like trace on our network today.
A compromised machine is used to DOS several machines on the Internet by
spoofing the IP addresses of the local subnet.
At this point, we are not sure of the tool being used to do so - haven't
heard back from the machine owner.
From what we captured, it seems to be doing 3 different types of net
flooding (TCP-SYN, TCP-ACK, and UDP) destined to victim port 1024.
Below are some sanitized packet dumps with some interesting patterns
that we noticed.
TCP
- All of the TCP seq# is 0x12345678
- Although the total length according to the IP header is 60 bytes
(0x003c), doesn't seem to have anything in the payload.
UDP
- the payload length is the same as the port.
21:36:14.735700 x:x:x:x:x:x y:y:y:y:y:y 8100 78: 802.1Q vlan#12 P0
X.X.X.X.540 > Y.Y.Y.Y.1024: S 305419896:305419916
(20) win 512
0x0000 000c 0800 4500 003c 0100 0000 8006 2d6a
0x0010 xxxx xxxx yyyy yyyy 021c 0400 1234 5678
0x0020 0200 0000 5002 0200 30c8 0000 0000 0000
0x0030 0000 0000 0000 0000 0000 0000 0000 0000
21:36:14.772177 x:x:x:x:x:x y:y:y:y:y:y 8100 78: 802.1Q vlan#12 P0
X.X.X.X.39 > Y.Y.Y.Y.1024: S 305419896:305419916
(20) win 512
0x0000 000c 0800 4500 003c 0100 0000 8006 df4a
0x0010 xxxx xxxx yyyy yyyy 0027 0400 1234 5678
0x0020 0000 0000 5002 0200 e69d 0000 0000 0000
0x0030 0000 0000 0000 0000 0000 0000 0000 0000
21:36:14.830891 x:x:x:x:x:x y:y:y:y:y:y 8100 78: 802.1Q vlan#12 P0
X.X.X.X.233 > Y.Y.Y.Y.1024: . 305419896:30541991
6(20) ack 16777216 win 512
0x0000 000c 0800 4500 003c 0100 0000 8006 df4a
0x0010 xxxx xxxx yyyy yyyy 00e9 0400 1234 5678
0x0020 0100 0000 5010 0200 e4cd 0000 0000 0000
0x0030 0000 0000 0000 0000 0000 0000 0000 0000
21:36:14.927957 x:x:x:x:x:x y:y:y:y:y:y 8100 78: 802.1Q vlan#12 P0
X.X.X.X.386 > Y.Y.Y.Y.1024: . 305419896:305419916
(20) ack 16777216 win 512
0x0000 000c 0800 4500 003c 0100 0000 8006 b140
0x0010 xxxx xxxx yyyy yyyy 0182 0400 1234 5678
0x0020 0100 0000 5010 0200 b62a 0000 0000 0000
0x0030 0000 0000 0000 0000 0000 0000 0000 0000
21:36:14.984549 x:x:x:x:x:x y:y:y:y:y:y 8100 78: 802.1Q vlan#12 P0
X.X.X.X.393 > Y.Y.Y.Y.1024: . 305419896:305419916
(20) ack 33554432 win 512
0x0000 000c 0800 4500 003c 0100 0000 8006 b140
0x0010 xxxx xxxx yyyy yyyy 0189 0400 1234 5678
0x0020 0200 0000 5010 0200 b523 0000 0000 0000
0x0030 0000 0000 0000 0000 0000 0000 0000 0000
21:05:51.403792 x:x:x:x:x:x y:y:y:y:y:y 8100 1070: 802.1Q vlan#12 P0
X.X.X.X.36352 > Y.Y.Y.Y.1024: udp 1024
0x0000 000c 0800 4500 041c 0100 0000 8011 6acf
0x0010 xxxx xxxx yyyy yyyy 8e00 0400 0408 0000
0x0020 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
0x0030 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
0x0040 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
<snip>
0x0410 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
21:05:51.403793 x:x:x:x:x:x y:y:y:y:y:y 8100 1070: 802.1Q vlan#12 P0
X.X.X.X.36352 > Y.Y.Y.Y.1024: udp 1024
0x0000 000c 0800 4500 041c 0100 0000 8011 6acf
0x0010 xxxx xxxx yyyy yyyy 8e00 0400 0408 0000
0x0020 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
0x0030 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
0x0040 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
0x0050 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
<snip>
0x0410 fbfb fbfb fbfb fbfb fbfb fbfb fbfb fbfb
21:05:51.607666 x:x:x:x:x:x y:y:y:y:y:y 8100 1070: 802.1Q vlan#12 P0
X.X.X.X.59907 > Y.Y.Y.Y.1024: udp 1024
0x0000 000c 0800 4500 041c 0100 0000 8011 6a9e
0x0010 xxxx xxxx yyyy yyyy ea03 0400 0408 0000
0x0020 bebe bebe bebe bebe bebe bebe bebe bebe
0x0030 bebe bebe bebe bebe bebe bebe bebe bebe
0x0040 bebe bebe bebe bebe bebe bebe bebe bebe
<snip>
0x0410 bebe bebe bebe bebe bebe bebe bebe bebe
More information about the Intrusions
mailing list