[Intrusions] A scan I've never seen before...

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Thu Jul 7 14:01:51 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't know "IPv6 hop-by-hop option" from a hole in the ground -
but these packets may be IPv4 encapsulated within IPv4. If you start
reading at byte 20:

IP:	4500 2d00 0000 0000 8006 0000 0000 0000 1122 b6b4

i.e. IPv4 packet, no IP options, length 11520 (?!), TTL 128, TCP,
  0.0.0.0 -> 111.222.182.184

TCP:	05e4 01bd 0100 0000 0000 0000 7002 faf0 3223 0000 0204 05b4 0101 0402

i.e. src port 1508, dst port 445, seq 0x1000000, ack 0, SYN, win 0xfaf0,
  cksum 0x3223, urg 0, option:maxSegSz 1460,nop,nop, etc.

Some weird tunneling, perhaps? I'm not sure what the intended
result is here.

 	-g
- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 6 Jul 2005, Jeff Kell wrote:

> I just discovered a scan of a chunk (a /19 worth) of our address space with something I've never seen before.  Any hints would be appreciated.
  :
  :
> Protocol given as "IP" and Info reads "IPv6 hop-by-hop option (0x00)".
>
> Tcpdump of a couple (obfuscated destination addresses):
>
>> 14:51:00.766976 IP (tos 0x0, ttl 118, id 64188, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.180:  ip 48
>>         0x0000:  4500 0044 fabc 0000 7600 5ccc 96bb 090b  E..D....v.\.....
>>         0x0010:  1122 b6b4 4500 2d00 0000 0000 8006 0000  ....E.-.........
>>         0x0020:  0000 0000 1122 b6b4 05e4 01bd 0100 0000  ................
>>         0x0030:  0000 0000 7002 faf0 3223 0000 0204 05b4  ....p...2#......
>>         0x0040:  0101 0402                                ....
>> 14:51:00.871265 IP (tos 0x0, ttl 118, id 64444, offset 0, flags [none], proto 0, length: 68) 150.187.9.11 > 111.222.182.181:  ip 48
>>         0x0000:  4500 0044 fbbc 0000 7600 5bcb 96bb 090b  E..D....v.[.....
>>         0x0010:  1122 b6b5 4500 2d00 0000 0000 8006 0000  ....E.-.........
>>         0x0020:  0000 0000 1122 b6b5 05e4 008b 0100 0000  ................
>>         0x0030:  0000 0000 7002 faf0 3354 0000 0204 05b4  ....p...3T......
>>         0x0040:  0101 0402                                ....
>
> Clues?  New script kiddie?
>
> Jeff
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCzTXaLyw7nZwiKgQRAp2GAKDyqiui4Jry9QzbyOW/j9G7pTBKBACg0LdF
huJG//A8813oCN9Qs+1qsCM=
=6yGW
-----END PGP SIGNATURE-----



More information about the Intrusions mailing list