[Dshield] Packet analysis help
dshield at threenorth.com
Tue Jul 16 19:48:47 GMT 2002
This is a follow up on my post last week regarding what Donald Smith
identified as a distributed reflector ddos.
In short someone, probably using zombie computers, sends a TCP SYN packet
to an open port on another system, but they spoof the return address of the
machine they want to DOS. This results in a series of (8, in my case)
SYN/ACK packets being sent at the victim computer. All packets in question
are small, but the attacker can quickly multiply the effect of computers
under their control, create an additional layer of indirection, and cause a
larger number of hosts to attack--thus making defense that much harder--all
while causing a very slight impact on the unwitting participants like
myself. I have apparently been used for a number of small attacks since I
first noticed something almost a week ago, but at most I have seen about
one incoming packet/ip/minute. Very small.
So, since I have already embarrassed myself a few times on this incident
(see my first panicked post and then unintentional posting of tcpdump files
last week), I thought I would continue the trend by posting my analysis,
limited though it is, of this incident publically.
I have identified over 2000 suspect packets, targeting over XXX ip
addresses. A short tcpdump from last Thursday (all times US Central):
16:05:18.125855 22.214.171.124.47366 > a.b.c196.80: S [tcp sum ok]
268042240:268042240(0) win 65535 [tos 0x8] (ttl 242, id 5588, len 40)
16:06:07.796703 126.96.36.199.34169 > a.b.c196.80: S [tcp sum ok]
720240640:720240640(0) win 65535 [tos 0x8] (ttl 242, id 44879, len 40)
16:07:24.527096 188.8.131.52.53593 > a.b.c196.80: S [tcp sum ok]
1000079360:1000079360(0) win 65535 [tos 0x8] (ttl 242, id 9906, len 40)
16:08:17.035616 184.108.40.206.38986 > a.b.c196.80: S [tcp sum ok]
1263140864:1263140864(0) win 65535 [tos 0x8] (ttl 242, id 23925, len 40)
16:10:24.298165 220.127.116.11.53574 > a.b.c196.80: S [tcp sum ok]
2716925952:2716925952(0) win 65535 [tos 0x8] (ttl 242, id 18010, len 40)
16:11:14.720961 18.104.22.168.28165 > a.b.c196.80: S [tcp sum ok]
3830972416:3830972416(0) win 65535 [tos 0x8] (ttl 242, id 34356, len 40)
16:12:30.674036 22.214.171.124.54181 > a.b.c196.80: S [tcp sum ok]
4168155136:4168155136(0) win 65535 [tos 0x8] (ttl 242, id 2089, len 40)
16:13:24.025876 126.96.36.199.16568 > a.b.c196.80: S [tcp sum ok]
2975596544:2975596544(0) win 65535 [tos 0x8] (ttl 242, id 56641, len 40)
You will note that they are targeting 4 different ip addresses, but all in
the same class C network. If set up as a typical class C, the final
address targeted is the network broadcast address. I have spoken with tech
support at the ISP in question, and they were under a DDOS at this time.
These are obviously crafted packets. Some things which point to that:
1) The packet length is 40, which is the smallest possible TCP/IP packet
and indicates no TCP or IP options set. From what I can tell, this is not
normal for any OS out there.
2) The ttl of 242. Again, from what I can find online, the only OS's that
would create a normal packet that could have a ttl this large are some
Cisco routers and Solaris 7 (and lower?). I am guessing that this packet
was created with an original ttl of 255, which would make them 13 hops
away. 188.8.131.52 was not 13 hops away when I received these
packets. (From Thursday to Saturday, all suspect packets like this had a
ttl of 242. After that, I began receiving two different sets, one with 240
and the other with 247. I saw packets from both interleaved with each
other in an attack on Sunday. I am assuming that I was probably being hit
by 2 different zombie machines, but it is possible that the person was
getting more sophisticated and slightly changing the initial ttl on each
packet, but I tend to discount that because I would then expect to see a
wider range than just 2 different values.)
3) The max window size of 65535. I can't imagine any OS padding a SYN/ACK
packet to the max window size, so this seems a bit odd to me, but maybe
someone else can shed some light on that.
4) The tos of 0x8 indicates "Minimize Delay", which I assume is set to
help increase the speed of packets pouring in on the victim.
5) ID and From ports seem random, but I don't have a large enough sample
size to really say, nor do I have the time to read up on the necessary
statistical analyses needed to make a more definitive statement.
6) The tcp sequence number is interesting. It too seems random, but only
the last two bytes are always 0. In fact, I went through all port 80
traffic for two days and the only ones that had 0 in the last two bytes of
the TCP sequence number were also packets of length 80 with at TOS of 0x8.
So, first question, anyone have any idea what tool may be creating these
Second question/comment, not all these odd packets seem to be being used
for DDOS attacks. I have seen some hits from just one IP address, so I my
initial thought is a stealthy scan, but it has ttl's that match packets
that seemed to be used for DDOS. I might also think this is the
perpetrator or a zombie checking up on me, but I have seen these from a
number of different ip addresses. What else might these be. The following
is a count of ip addresses that sent these packets in a roughly 24 hour
period (I have 4 ips, so divided totals by 4, that is where the .25 comes from:
SourceIP Number of packets
Any and all comments appreciated.
More information about the list