[Intrusions] A scan I've never seen before...

Michael Cloppert mike.cloppert at gmail.com
Wed Jul 6 20:45:32 GMT 2005 

I thought on this for a bit, and couldn't come up with anything
conclusive.  Some thoughts I had, that may or may not help guide your
investigation:

It's interesting that the protocol field is 0.  To my knowledge, this
isn't any "normal" IP protocol type.  You may want to check the
Ethernet header to see if the 16-bit Type is specified as IPv6. 
Notice how the IP version field is 4 in the IP header -- this doesn't
jive with the "IPv6 hop-by-hop option (0x00)".

Could this be an O/S fingerprint attempt by fiddling with options?

If you find out what caused this, please let us know.  Now you've got
me curious as well.

Regards,
Michael Cloppert

On 7/6/05, Jeff Kell <jeff-kell at utc.edu> wrote:
> I just discovered a scan of a chunk (a /19 worth) of our address space with something I've never seen before.  Any hints would be appreciated.
> 
> The scans were blocked by an ingress filter, but with an unusual, out-of-place log message (Cisco):
> 
> > Jul  6 15:00:27.814 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 111.222.191.132 1 packet
> > Jul  6 15:00:28.994 EDT: %SEC-6-IPACCESSLOGS: list ingress denied 111.222.191.137 1 packet  [...]
> 
> Normally I would expect a "list ingress denied [tcp|udp|protocol#] source(port) -> dest(port)" type message, but this only listed the destination address and no clue what was hitting it.  I cobbled together a pcap for later analysis (I can send to anyone who needs further information to decrypt).  A quick look with ethereal shows:
> 
> A source in Venezuela...
> 
> Protocol given as "IP" and Info reads "IPv6 hop-by-hop option (0x00)".
> 
> Tcpdump of a couple (obfuscated destination addresses):
> 
> > 14:51:00.766976 IP (tos 0x0, ttl 118, id 64188, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.180:  ip 48
> >         0x0000:  4500 0044 fabc 0000 7600 5ccc 96bb 090b  E..D....v.\.....
> >         0x0010:  1122 b6b4 4500 2d00 0000 0000 8006 0000  ....E.-.........
> >         0x0020:  0000 0000 96b6 b6b4 05e4 01bd 0100 0000  ................
> >         0x0030:  0000 0000 7002 faf0 3223 0000 0204 05b4  ....p...2#......
> >         0x0040:  0101 0402                                ....
> > 14:51:00.871265 IP (tos 0x0, ttl 118, id 64444, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.181:  ip 48
> >         0x0000:  4500 0044 fbbc 0000 7600 5bcb 96bb 090b  E..D....v.[.....
> >         0x0010:  1122 b6b5 4500 2d00 0000 0000 8006 0000  ....E.-.........
> >         0x0020:  0000 0000 96b6 b6b5 05e4 008b 0100 0000  ................
> >         0x0030:  0000 0000 7002 faf0 3354 0000 0204 05b4  ....p...3T......
> >         0x0040:  0101 0402                                ....
> 
> Clues?  New script kiddie?
> 
> Jeff
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 


-- 
========================
Michael Cloppert

off-list email: mike at cloppert.org
http://www.cloppert.org

More information about the Intrusions mailing list