[Dshield] Packet analysis help

Tim Rushing dshield at threenorth.com
Tue Jul 16 19:48:47 GMT 2002


This is a follow up on my post last week regarding what Donald Smith 
identified as a distributed reflector ddos.

In short someone, probably using zombie computers, sends a TCP SYN packet 
to an open port on another system, but they spoof the return address of the 
machine they want to DOS.  This results in a series of (8, in my case) 
SYN/ACK packets being sent at the victim computer.  All packets in question 
are small, but the attacker can quickly multiply the effect of computers 
under their control, create an additional layer of indirection, and cause a 
larger number of hosts to attack--thus making defense that much harder--all 
while causing a very slight impact on the unwitting participants like 
myself.  I have apparently been used for a number of small attacks since I 
first noticed something almost a week ago, but at most I have seen about 
one incoming packet/ip/minute.  Very small.

So, since I have already embarrassed myself a few times on this incident 
(see my first panicked post and then unintentional posting of tcpdump files 
last week), I thought I would continue the trend by posting my analysis, 
limited though it is, of this incident publically.

I have identified over 2000 suspect packets, targeting over XXX ip 
addresses.  A short tcpdump from last Thursday (all times US Central):

16:05:18.125855 65.222.227.1.47366 > a.b.c196.80: S [tcp sum ok] 
268042240:268042240(0) win 65535 [tos 0x8]  (ttl 242, id 5588, len 40)
16:06:07.796703 65.222.227.58.34169 > a.b.c196.80: S [tcp sum ok] 
720240640:720240640(0) win 65535 [tos 0x8]  (ttl 242, id 44879, len 40)
16:07:24.527096 65.222.227.193.53593 > a.b.c196.80: S [tcp sum ok] 
1000079360:1000079360(0) win 65535 [tos 0x8]  (ttl 242, id 9906, len 40)
16:08:17.035616 65.222.227.255.38986 > a.b.c196.80: S [tcp sum ok] 
1263140864:1263140864(0) win 65535 [tos 0x8]  (ttl 242, id 23925, len 40)
16:10:24.298165 65.222.227.1.53574 > a.b.c196.80: S [tcp sum ok] 
2716925952:2716925952(0) win 65535 [tos 0x8]  (ttl 242, id 18010, len 40)
16:11:14.720961 65.222.227.58.28165 > a.b.c196.80: S [tcp sum ok] 
3830972416:3830972416(0) win 65535 [tos 0x8]  (ttl 242, id 34356, len 40)
16:12:30.674036 65.222.227.193.54181 > a.b.c196.80: S [tcp sum ok] 
4168155136:4168155136(0) win 65535 [tos 0x8]  (ttl 242, id 2089, len 40)
16:13:24.025876 65.222.227.255.16568 > a.b.c196.80: S [tcp sum ok] 
2975596544:2975596544(0) win 65535 [tos 0x8]  (ttl 242, id 56641, len 40)


You will note that they are targeting 4 different ip addresses, but all in 
the same class C network.  If set up as a typical class C, the final 
address targeted is the network broadcast address.  I have spoken with tech 
support at the ISP in question, and they were under a DDOS at this time.

These are obviously crafted packets.  Some things which point to that:

1)  The packet length is 40, which is the smallest possible TCP/IP packet 
and indicates no TCP or IP options set.  From what I can tell, this is not 
normal for any OS out there.

2)  The ttl of 242.  Again, from what I can find online, the only OS's that 
would create a normal packet that could have a ttl this large are some 
Cisco routers and Solaris 7 (and lower?).  I am guessing that this packet 
was created with an original ttl of 255, which would make them 13 hops 
away.  65.222.227.255 was not 13 hops away when I received these 
packets.  (From Thursday to Saturday, all suspect packets like this had a 
ttl of 242.  After that, I began receiving two different sets, one with 240 
and the other with 247.  I saw packets from both interleaved with each 
other in an attack on Sunday.  I am assuming that I was probably being hit 
by 2 different zombie machines, but it is possible that the person was 
getting more sophisticated and slightly changing the initial ttl on each 
packet, but I tend to discount that because I would then expect to see a 
wider range than just 2 different values.)

3)  The max window size of 65535.  I can't imagine any OS padding a SYN/ACK 
packet to the max window size, so this seems a bit odd to me, but maybe 
someone else can shed some light on that.

4)  The tos of 0x8 indicates "Minimize Delay", which I assume is set to 
help increase the speed of packets pouring in on the victim.

5)  ID and From ports seem random, but I don't have a large enough sample 
size to really say, nor do I have the time to read up on the necessary 
statistical analyses needed to make a more definitive statement.

6)  The tcp sequence number is interesting.  It too seems random, but only 
the last two bytes are always 0.    In fact, I went through all port 80 
traffic for two days and the only ones that had 0 in the last two bytes of 
the TCP sequence number were also packets of length 80 with at TOS of 0x8.

So, first question, anyone have any idea what tool may be creating these 
packets?

Second question/comment, not all these odd packets seem to be being used 
for DDOS attacks.  I have seen some hits from just one IP address, so I my 
initial thought is a stealthy scan, but it has ttl's that match packets 
that seemed to be used for DDOS.  I might also think this is the 
perpetrator or a zombie checking up on me, but I have seen these from a 
number of different ip addresses.  What else might these be.  The following 
is a count of ip addresses that sent these packets in a roughly 24 hour 
period (I have 4 ips, so divided totals by 4, that is where the .25 comes from:

SourceIP        Number of packets
______________  _________________
68.32.29.26        227
216.40.206.209     72.25
64.42.236.185      59
66.192.45.84       33
66.216.87.57       31
66.197.169.30      13
66.192.45.1        10
12.226.7.206       7
63.240.202.127     5
66.70.192.62       4
216.111.123.20     4
209.212.194.189    3
63.240.202.218     3
208.185.82.112     2
65.116.92.136      2
68.39.180.253      2
66.192.45.255      1
207.218.223.34     1
65.116.93.14       1


Any and all comments appreciated.

         ---Tim Rushing




More information about the list mailing list