[Intrusions] LOW SLOW SMTP DOS from our clients.

kenneth gf brown ken at shadowplay.net
Sat Feb 19 22:25:34 GMT 2005 

we are attempting to figure out why a series of smtp clients are 
causing multiple concurent connections attempts on smtp.
we have isolated a bit of the problem... 

these are clients authorised to use our out bouncd smtp server

basicly every 1' 15'' an affected smtp client,  exhibiting a slow low dos
behaviour, 
connects to our server. the smtp handshake happens as in the capture
below... 
but upon our reciept of this packet (basicly the client starting the DATA
part of the 
smtp connection...) after our send of go ahead (twice the client ignores the
first one)
see the full capture below.

00:26:41.334390 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: . ack 105 win
65431 (DF)
0x0000   4500 0028 86c0 4000 7d06 a491 41c2 17ba        E..(.. at .}...A...
0x0010   d8b1 a050 0a14 0019 59b9 4db3 3790 5e4e        ...P....Y.M.7.^N
0x0020   5010 ff97 9646 0000 0000 0000 0000             P....F........

the client side connection appears to drop, the mail client times out an
reconnects via another port 
(basicly hung port +1) and attempts to send the EXACT same message. with the
same result
ignoring any attempt for our server to "wake" the original port.

the cleint never ACKs a resend of the packet "go ahead" never ACKS several
451 timout packets sent from the smtp server.. the connection is kept alive
for 20 min.

in the client's mail client the message is shown as 
fully processed and added to their sent mail, and is no longer in their
outbound mail queue

but their client is STILL trying to send the message.

commonalities... 

all client's affected appear to be on a simmilar class of subnet

affected clients appear to be only affected if connected via our cable
modems
subnets 

most clients are using antiviral software and are reporting "clean" using 
their vendors most recient data files.
 
this behaviour is apearing to affect clients who are using linksys wifi
routers 
altho we do have reports of it also affecting one linksys standard non wifi
router.

geographically the affected clients are "remote" pointing away from, but not
full discounting, 
a war drive hack, and are telling us that their wifi settings are "locked
down" 

an nmap of the systems affected show all ports filtered (what id expect from

a linksys router) and only port 113 as open, but filtered.

the low slow dos on our smtp servers began on Feb 15 th.
with a small handfull of clients (5) exhibition this behaviour... 
we have seen the behavior slowly spread across our client's cable 
subnets... 

our interm solution is to block smtp connections to the outbound smtp server
when smtp clients exhibit this behavior and reach a concurent connection
count of >10, 

at no time is any client exceeding 20 parrallel connections to the servers.
(call me a liar... on has just exhibited 24 parallel connections) I think we
have our 
first example of 2 nated systems being affected.

has anyone else seen this type of behavior recently ?? 
does neone know what could be causing it??

I am 99.9% postitive that it is something on the client's end
its smells like a dos worm but im concerend by antiviral software not 
"seeing" anything wrong on the client box. and have at this time a 
very limited ability to track the infection vector.

we are curently at 51 clients exhibiting this behaviour, 

boxes sitting on the same wifi connection using nat to the network 
are not nessisarily BOTH affected ..

our "infected client list" appears to be growing at a rate of 10 a day.

your thoughts and input most welcome and greatly appreciated.

kenneth gf brown 
ceo shadowplay.net


00:26:41.060478 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: S
1505310347:1505310347(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
0x0000   4500 0030 86b6 4000 7d06 a493 41c2 17ba        E..0.. at .}...A...
0x0010   d8b1 a050 0a14 0019 59b9 368b 0000 0000        ...P....Y.6.....
0x0020   7002 ffff 1630 0000 0204 05b4 0101 0402        p....0..........

00:26:41.060519 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: S
932208101:932208101(0) ack 1505310348 win 5840 <mss 1460,nop,nop,sackOK>
(DF)
0x0000   4500 0030 0000 4000 4006 684a d8b1 a050        E..0.. at .@.hJ...P
0x0010   41c2 17ba 0019 0a14 3790 5de5 59b9 368c        A.......7.].Y.6.
0x0020   7012 16d0 69d9 0000 0204 05b4 0101 0402        p...i...........

00:26:41.068473 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: . ack 1 win
65535 (DF)
0x0000   4500 0028 86b7 4000 7d06 a49a 41c2 17ba        E..(.. at .}...A...
0x0010   d8b1 a050 0a14 0019 59b9 368c 3790 5de6        ...P....Y.6.7.].
0x0020   5010 ffff ad6d 0000 0000 0000 0000             P....m........

00:26:41.072288 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: P 1:26(25) ack
1 win 5840 (DF)
0x0000   4500 0041 1738 4000 4006 5101 d8b1 a050        E..A.8 at .@.Q....P
0x0010   41c2 17ba 0019 0a14 3790 5de6 59b9 368c        A.......7.].Y.6.
0x0020   5018 16d0 d2b1 0000 3232 3020 736d 7470        P.......220.smtp
0x0030   2e67 7674 632e 636f 6d20 4553 4d54 500d        .domain.com.ESMTP.
0x0040   0a                                             .

00:26:41.088471 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: P 1:16(15) ack
26 win 65510 (DF)
0x0000   4500 0037 86b8 4000 7d06 a48a 41c2 17ba        E..7.. at .}...A...
0x0010   d8b1 a050 0a14 0019 59b9 368c 3790 5dff        ...P....Y.6.7.].
0x0020   5018 ffe6 b788 0000 4548 4c4f 2053 5445        P.......EHLO.STE
0x0030   5542 494e 470d 0a                              UBING..

00:26:41.088495 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: . ack 16 win
5840 (DF)
0x0000   4500 0028 1739 4000 4006 5119 d8b1 a050        E..(.9 at .@.Q....P
0x0010   41c2 17ba 0019 0a14 3790 5dff 59b9 369b        A.......7.].Y.6.
0x0020   5010 16d0 9675 0000                            P....u..

00:26:41.088634 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: P 26:75(49) ack
16 win 5840 (DF)
0x0000   4500 0059 173a 4000 4006 50e7 d8b1 a050        E..Y.:@. at .P....P
0x0010   41c2 17ba 0019 0a14 3790 5dff 59b9 369b        A.......7.].Y.6.
0x0020   5018 16d0 d2c9 0000 3235 302d 736d 7470        P.......250-smtp
0x0030   2e67 7674 632e 636f 6d0d 0a32 3530 2d50        .gvtc.com..250-P
0x0040   4950 454c 494e 494e 470d 0a32 3530 2038        IPELINING..250.8
0x0050   4249 544d 494d 450d 0a                         BITMIME..

00:26:41.104828 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: P 16:47(31) ack
75 win 65461 (DF)
0x0000   4500 0047 86b9 4000 7d06 a479 41c2 17ba        E..G.. at .}..yA...
0x0010   d8b1 a050 0a14 0019 59b9 369b 3790 5e30        ...P....Y.6.7.^0
0x0020   5018 ffb5 cc65 0000 4d41 494c 2046 524f        P....e..MAIL.FRO
0x0030   4d3a 203c 6461 7272 656c 6c40 6776 7463        M:.<user at domain
0x0040   2e63 6f6d 3e0d 0a                              .com>..

00:26:41.104883 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: P 75:83(8) ack
47 win 5840 (DF)
0x0000   4500 0030 173b 4000 4006 510f d8b1 a050        E..0.;@. at .Q....P
0x0010   41c2 17ba 0019 0a14 3790 5e30 59b9 36ba        A.......7.^0Y.6.
0x0020   5018 16d0 d2a0 0000 3235 3020 6f6b 0d0a        P.......250.ok..

00:26:41.114459 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: P 47:82(35) ack
83 win 65453 (DF)
0x0000   4500 004b 86ba 4000 7d06 a474 41c2 17ba        E..K.. at .}..tA...
0x0010   d8b1 a050 0a14 0019 59b9 36ba 3790 5e38        ...P....Y.6.7.^8
0x0020   5018 ffad ff32 0000 5243 5054 2054 4f3a        P....2..RCPT.TO:
0x0030   203c 6473 7465 7562 696e 6740 7478 6662        .<anyone at anyw
0x0040   2d69 6e73 2e63 6f6d 3e0d 0a                    here.com>..

00:26:41.114494 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: P 83:91(8) ack
82 win 5840 (DF)
0x0000   4500 0030 173c 4000 4006 510e d8b1 a050        E..0.<@. at .Q....P
0x0010   41c2 17ba 0019 0a14 3790 5e38 59b9 36dd        A.......7.^8Y.6.
0x0020   5018 16d0 d2a0 0000 3235 3020 6f6b 0d0a        P.......250.ok..

00:26:41.124640 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: P 82:88(6) ack
91 win 65445 (DF)
0x0000   4500 002e 86bb 4000 7d06 a490 41c2 17ba        E..... at .}...A...
0x0010   d8b1 a050 0a14 0019 59b9 36dd 3790 5e40        ...P....Y.6.7.^@
0x0020   5018 ffa5 0782 0000 4441 5441 0d0a             P.......DATA..

00:26:41.124883 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: P 91:105(14)
ack 88 win 5840 (DF)
0x0000   4500 0036 173d 4000 4006 5107 d8b1 a050        E..6.=@. at .Q....P
0x0010   41c2 17ba 0019 0a14 3790 5e40 59b9 36e3        A.......7.^@Y.6.
0x0020   5018 16d0 d2a6 0000 3335 3420 676f 2061        P.......354.go.a
0x0030   6865 6164 0d0a                                 head..

00:26:41.325196 ser.ver.ipa.ddr.smtp > cli.ent.ipa.ddr.2580: P 91:105(14)
ack 88 win 5840 (DF)
0x0000   4500 0036 173e 4000 4006 5106 d8b1 a050        E..6.>@. at .Q....P
0x0010   41c2 17ba 0019 0a14 3790 5e40 59b9 36e3        A.......7.^@Y.6.
0x0020   5018 16d0 d2a6 0000 3335 3420 676f 2061        P.......354.go.a
0x0030   6865 6164 0d0a                                 head..

00:26:41.334390 cli.ent.ipa.ddr.2580 > ser.ver.ipa.ddr.smtp: . ack 105 win
65431 (DF)
0x0000   4500 0028 86c0 4000 7d06 a491 41c2 17ba        E..(.. at .}...A...
0x0010   d8b1 a050 0a14 0019 59b9 4db3 3790 5e4e        ...P....Y.M.7.^N
0x0020   5010 ff97 9646 0000 0000 0000 0000             P....F........





ken at shadowplay.net                      http://www.shadowplay.net 
Phone:  204.284.3481                      Toll Free: 866.590.0023
Mobile: 204.470.9158 

FOR CLIENT SUPPORT PLEASE CALL 204.470.9021
or email support at shadowplay.net

More information about the Intrusions mailing list