[Dshield] what kind of attack is this?

Guy Barnum GuyBarnum at Armscole.com
Fri Feb 13 08:02:23 GMT 2004


I may be overly paranoid but I have what looks like a continuous
attack/scan running off a win 2000 server.  Looking at the CPU time per
task I don't see anything out of the ordinary but who knows what every
single task in that list represents?  Norton Anti-Virus Enterprise with
real time scanning (I know the shortfalls here) enabled and the latest
virus definitions isn't picking anything up on the system.

Here is the pattern I see using ethereal to capture everything going
out.

No. Time     Source             Destination  Protocol  Info
------------------------------------------------------------------------
------------------------
1   0.000000 <source left out>  192.27.50.87 UDP       source port: 3036
destination port: 38293
2   0.000028 <source left out>  192.27.50.87 UDP 	 source port:
3036 destination port: 38293
3   0.000082 <source left out>  192.27.50.87 UDP 	 source port:
3036 destination port: 38293

There are 12 of these then it increments one on the last octet

13  0.052513 <source left out>  192.27.50.88 UDP 	 source port:
3036 destination port: 38293
14  0.010486 <source left out>  192.27.50.88 UDP 	 source port:
3036 destination port: 38293
15  0.000527 <source left out>  192.27.50.88 UDP 	 source port:
3036 destination port: 38293

This repeats 12 times per octet up through .101 when it flips over to
this

181  0.763026 <source left out>  192.177.188.90 TCP 	 22560 > epmap
[SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
182  0.763050 <source left out>  192.177.188.90 TCP 	 22560 > epmap
[SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
183  0.763118 <source left out>  192.177.188.91 TCP 	 22560 > epmap
[SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
184  0.763127 <source left out>  192.177.188.91 TCP 	 22560 > epmap
[SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460

It hits these IP's in pairs in this order .90 .91 .89 .92 .93 .94 .97
.99 .100 .95 .98 .96 .102 .103 .101 .104 .105 .106 .107 .108

Then the original format starts over with UDP packets going to
192.27.50.102 .103 .104 etc in blocks of 12 and another set of epmap
[SYN} lines following.

I am a beginner at this level of network security but if I had to take a
guess I would say this process is scanning an IP range for open systems
and at first I thought sending some kind of SYN flood before starting to
scan again but the IP range changes completely between the UDP and TCP
packets so maybe it is sending a report back logging what it finds on
the scans or communicating between multiple infected machines to
coordinate the main target?

Doing a tracert on the first block of destination IP's I find bbnplanet
as the target and when I try surfing to bbnplanet.com I get a page
cannot be displayed error further leading me to believe there is a DDOS
against bbnplanet.  

The second pattern sending the [SYN] packets is hitting an IP range that
resolves to centergate.com and those web pages come up without any delay
at all or I would think they may be under attack also.  Perhaps that is
the origin of the attack directed at bbnplanet?

All feedback is welcome as I'm up against a steep learning curve here.
Any ideas on how to filter the outgoing packets at least until I can
find what is running and kill this?  *hint of desperation*

GLB




More information about the list mailing list