[Dshield] Unusual snort traffic

John Sage jsage at finchhaven.com
Sun Nov 11 04:27:35 GMT 2001


Stephen:

<long, but maybe worth it...>

At the risk of stating the obvious, the traffic itself is pings.

Let's order the last entries by time, and then look around:


timestamp,            proto,       msg,
src,dst,srcport,dstport,icmptype,icmpcode,icmpid,icmpseq,ttl,tos,id,iplen,dgmlen

11/08-18:03:24.963067 ,ICMP,ICMP Unknown Type,
209.221.176.6,255.255.255.255,,,8,0,19458,39430,52,0,0,20,40

11/08-18:03:24.980872 ,ICMP,ICMP Unknown Type,
209.221.176.6,    xx.yy.zz.64,,,8,0,19458,39174,52,0,0,20,40


11/08-18:04:18.167514 ,ICMP,ICMP Unknown Type,
209.221.176.6,    xx.yy.zz.64,,,8,0,19458,39174,52,0,0,20,40

11/08-18:04:18.168180 ,ICMP,ICMP Unknown Type,
209.221.176.6,255.255.255.255,,,8,0,19458,39430,52,0,0,20,40


11/08-18:05:10.388127 ,ICMP,ICMP Unknown Type,
209.221.176.6,    xx.yy.zz.64,,,8,0,19458,39174,52,0,0,20,40

11/08-18:05:10.388909 ,ICMP,ICMP Unknown Type,
209.221.176.6,255.255.255.255,,,8,0,19458,39430,52,0,0,20,40


 From "tcp/ip Illustrated", vol.1, WR Stevens, p. 86:

"..Unix implementations of ping set the identifier field in the icmp 
message to the process ID of the sending process.."

So these packets were all sent by PID 19458, assuming it's *nix, but I'd 
bet not, because nmap says:

> 137/tcp    filtered    netbios-ns              
> 138/tcp    filtered    netbios-dgm             
> 139/tcp    filtered    netbios-ssn             
> 445/tcp    filtered    microsoft-ds


although nmap itself can't ID the OS behind 209.221.176.6... hmm..

"..The sequence number starts at 0 and is incremented every time a new 
echo request is sent.."

hmm.. We've got two seq's: 39174 and 39430; and the seq's are unchanged 
over three pings across the *.255 host, and three across the *.64 host 
within the probes on any one day/time. So it's as if - what? - it's as 
though each ping is sent out without incrementing the seq... weird..


Can you say "custom implementation?" Read on...


OK: anyway, who is this guy?

Request: 209.221.176.6
connecting to whois.arin.net [192.149.252.22:43] ...

Semaphore Corporation (NETBLK-SEMA-CIDR-1) SEMA-CIDR-1
      209.221.128.0 - 209.221.191.255
5stops (NETBLK-5STOPS-SBLK1) 5STOPS-SBLK1
      209.221.176.0 - 209.221.176.15

Request: NETBLK-5STOPS-SBLK1 at whois.arin.net
connecting to whois.arin.net [192.149.252.22:43] ...
5stops (NETBLK-5STOPS-SBLK1)
    PO Box 77525
    Seattle, WA 98177
    US

    Netname: 5STOPS-SBLK1
    Netblock: 209.221.176.0 - 209.221.176.15

Coordinator:
       Lindvall, Eric  (EL295-ARIN)  eric at 5stops.com
206.579.7668


An http to 209.221.176.6 results in a "connection refused"

hmm..

http to 5stops.com results in:

<html>
<head>
<link REL="SHORTCUT ICON" HREF="/favicon.ico">
<title>
5 s t o p s
</title>
:
<snip>

hmm.. ("favicon.ico" -- smacks of Window$..) and it's Eric Lindvall's 
website..


So, wondering what this guy is doing with the rest of his useable IP's, 
I start to send http requests to other IP's in his netblock, starting 
downward, and lo:

Bingo!


http to 209.22.176.5 results in:

"Current count: 44,998 broken networks.
Average amplification: 4x

Welcome to netscan.org. This site contains a searchable and browsable 
list of broadcast ICMP ("smurf") amplifiers."

"Put this database to good use by checking the networks that you use or 
administer. In the box below, enter an IP address (e.g., 192.168.4.0) or 
ASN (e.g., 1), then press "Check." Queries for ASNs may take up to one 
minute to finish.

The script checks the number of times that network broadcast and subnet 
addresses (for example, x.y.z.0 and x.y.z.255) reply to a single ICMP 
ping. If either number is greater than 1, the network is misconfigured 
and its router needs a configuration change.

Note that this data comes from a static database; it is not real-time. 
Current amplifiers are rechecked nightly, previous amplifiers are 
rechecked monthly, and all routed networks are checked once in a while. 
Entries are to /27 boundaries."

* Why & when did you ping all these IPs?

We're a small group of concerned network administrators who got fed up 
with being smurfed day after day simply because a few admins aren't 
doing their jobs. This site serves to inform and educate "the rest" in 
hopes of eliminating this problem in the next few months.

The rescanning is on a rolling schedule so that under most 
circumstances, no network goes more than 2 weeks without being 
rescanned. The front page is typically updated with the last scan date."



So somebody is pinging you because -- why? -- you're a smurf amplifier 
suspect?

Or just because they're on a mission?


Who's *this* guy?

Registrant:
no ip directed-broadcast (NETSCAN3-DOM)
    PO Box 77525
    Seattle, WA 98177-0525
    US

    Domain Name: NETSCAN.ORG

Administrative Contact:
       Davis, Troy  (TD1221)  troy at NACK.NET
       Nack.Net, Inc.
       PO Box 77525
       Seattle, WA 98177-0525
       (206) 683-8769
    Technical Contact:
       Administrator, Nack.Net (AN521-ORG)  hostmaster at NACK.NET
       Nack.Net, Inc.
       PO Box 77525
       Seattle, WA 98177
       US
       (206) 546-5277
    Billing Contact:
       lindvall, eric  (EL2687)  eric at 5STOPS.COM
       tekniq security group
       400 wall street suite 311
       seattle, WA  98121
       US
       206/579.7668 -


And finally:

Registrant:
NACK (NACK5-DOM)
    PO Box 77525
    Seattle, WA 98177-0525
    US

    Domain Name: NACK.NET

Administrative Contact, Billing Contact:
       Davis, Troy  (TD1221)  troy at NACK.NET
       Nack.Net, Inc.
       PO Box 77525
       Seattle, WA 98177-0525
       (206) 683-8769
    Technical Contact:
       lindvall, eric  (EL2687)  eric at 5STOPS.COM
       tekniq security group
       400 wall street suite 311
       seattle, WA  98121
       US
       206/579.7668 -


So anyway, I'd try emailing sysop at netscan.org and ask them WTF...

HTH..

- John



Chan, Stephen (TIS, Singapore) wrote:

> Hi, this traffic pattern has me stumped. The attached file is a snort log
> collected over a couple of weeks. It's in CSV format so you can import into
> Excel with no problems.
> 
> xx.yy.zz.64 is my host
> 209.221.176.6 is the strange box 
> 
> two things confound me: the broadcast 255.255.255.255 destination address
> and the repeating sequence numbers.
> 
> Would appreciate any sort of insight into this.
> 
> Thanks
> 
> Stephen Chan
> 
> 
>  <<traffic.csv>> 
> 





More information about the list mailing list