[Dshield] RE: more on port 21826

James C. Slora, Jr. james.slora at phra.com
Tue Oct 14 17:45:14 GMT 2003

Jon R. Kibler wrote Thu, 09 Oct 2003 12:34:27 -0400

> Several weeks ago, I posted a question about traffic from 
> what appeared to be a forged IP addresses to a single 
> unallocated IP address in our netblock. The packets always 
> originated from port 44429 and were always targeted to port 
> 21826. At that time, all of the packets originated from a 
> single IP address ( that we were told was a US 
> DoD address that does not have Internet access.

This looks likes the TCP window size 55808 packets that were the subject of great discussion when they first appeared in mass numbers in May 2003. Get a few full packet captures if you can and check the window size. Google tcp window 55808.

If this is what it is, I can only tell you "me too", plus share some knowledge of the traffic and some guesses about its purpose. I enjoy looking at it from time to time, but have not been able to devote much effort to it recently.

The target port is normally a function of the target address, so port numbers are not useful in explaining the traffic. Source addresses are typically inaccessible U.S. government or large business addresses or IANA reserved addresses. All source addresses are spoofed. Source addresses and ports also appear to be separate functions of target address - the great majority of them remain constant for any particular target, although TTLs vary (probably according to true source). A few source addresses are seen by multiple people - these are also the sources that are most likely to use a different source port in their probes.
The traffic increased slowly throughout May and June, and has remained at a steady peak since then on my networks. I have not personally found a routed public subnet that did not have exactly one target address. But I only work with a few networks, so others may have more useful statistics in this regard.

> Recently, the pattern has changed (also, see below).
>    1) There are now multiple IP addresses all sending to port 
> 21826 on this SAME unallocated IP address.
>    2) The majority of the sending IP addresses still claim to 
> be sending from port 44429, but several of the addresses now 
> seem to be originating from different ports.
> A couple of other tid-bits... Checking logs as far back as 
> May, we find:
>    1) Every log entry that originated from port 44429 was 
> targeted to port 21826.
>    2) Every log entry that targeted port 21826 was to the 
> same target IP address.
>    3) These 'spoofed packets' predate our owning this 
> netblock (they were among the first packets logged when we 
> acquired this netblock early this year).
> Anyone have any new ideas what may be going on here?

The true nature of the traffic has never been publicly revealed AFAICT. One public explanation was a network mapping tool - a sample of the tool was found, but its method and results were far too weak to be believable as a mass-deployed tool. 

There were some trojans that supposedly explained some of the traffic, but it was never fully explained. Some Randex version use window size 55808 in DoS attacks. I don't think this explains the traffic most of us see, though, because the RST packets our targets might send don't all go to the same group of spoofed sources - each of us has a different typical fake source.

Locating the true sources requires detailed cooperative snooping by ISPs or some good luck in finding and recognizing either a client or a server. My targets have never responded in any way that I could detect. The probes appear to keep coming at similar rates whether or not any device ever responds.

The sources are definitely not the sources, and the targets might not even be the targets.

My conjecture is that this is covert channel botnet control traffic which is targeted at a server in between the true source and the target. The repetitive spoofed sources are probably drones joining a control channel, and the oddball probes are possibly the botnet owner issuing commands.

Since there has been only one target address behind each router, maybe the covert channel is targeted at the routers themselves. This seems difficult because I have seen it on Linksys routers as much as on Cisco ones. I don't think it would be easy to set up a multiplatform router trojan that ran undetected at so many locations unless it was some backdoor built into production firmware by multiple vendors. At that point we are getting into black helicopter conspiracy theories that someone should be able to disprove by looking at source code or by decompiling firmware.

Maybe the target is the target, and I have been too dumb to recognize the responses.

It is easy enough to imagine other possibilities, but if anyone knows they have not spoken out publicly to my knowledge.

More information about the list mailing list