[Dshield] what kind of attack is this?

Micheal Patterson micheal at tsgincorporated.com
Fri Feb 13 14:21:23 GMT 2004




----- Original Message ----- 
From: "Guy Barnum" <GuyBarnum at Armscole.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Friday, February 13, 2004 2:02 AM
Subject: [Dshield] what kind of attack is this?


> I may be overly paranoid but I have what looks like a continuous
> attack/scan running off a win 2000 server.  Looking at the CPU time per
> task I don't see anything out of the ordinary but who knows what every
> single task in that list represents?  Norton Anti-Virus Enterprise with
> real time scanning (I know the shortfalls here) enabled and the latest
> virus definitions isn't picking anything up on the system.
>
> Here is the pattern I see using ethereal to capture everything going
> out.
>
> No. Time     Source             Destination  Protocol  Info
> ------------------------------------------------------------------------
> ------------------------
> 1   0.000000 <source left out>  192.27.50.87 UDP       source port: 3036
> destination port: 38293
> 2   0.000028 <source left out>  192.27.50.87 UDP source port:
> 3036 destination port: 38293
> 3   0.000082 <source left out>  192.27.50.87 UDP source port:
> 3036 destination port: 38293
>
> There are 12 of these then it increments one on the last octet
>
> 13  0.052513 <source left out>  192.27.50.88 UDP source port:
> 3036 destination port: 38293
> 14  0.010486 <source left out>  192.27.50.88 UDP source port:
> 3036 destination port: 38293
> 15  0.000527 <source left out>  192.27.50.88 UDP source port:
> 3036 destination port: 38293
>
> This repeats 12 times per octet up through .101 when it flips over to
> this
>
> 181  0.763026 <source left out>  192.177.188.90 TCP 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 182  0.763050 <source left out>  192.177.188.90 TCP 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 183  0.763118 <source left out>  192.177.188.91 TCP 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 184  0.763127 <source left out>  192.177.188.91 TCP 22560 > epmap
> [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
>
> It hits these IP's in pairs in this order .90 .91 .89 .92 .93 .94 .97
> .99 .100 .95 .98 .96 .102 .103 .101 .104 .105 .106 .107 .108
>
> Then the original format starts over with UDP packets going to
> 192.27.50.102 .103 .104 etc in blocks of 12 and another set of epmap
> [SYN} lines following.
>
> I am a beginner at this level of network security but if I had to take a
> guess I would say this process is scanning an IP range for open systems
> and at first I thought sending some kind of SYN flood before starting to
> scan again but the IP range changes completely between the UDP and TCP
> packets so maybe it is sending a report back logging what it finds on
> the scans or communicating between multiple infected machines to
> coordinate the main target?
>
> Doing a tracert on the first block of destination IP's I find bbnplanet
> as the target and when I try surfing to bbnplanet.com I get a page
> cannot be displayed error further leading me to believe there is a DDOS
> against bbnplanet.
>
> The second pattern sending the [SYN] packets is hitting an IP range that
> resolves to centergate.com and those web pages come up without any delay
> at all or I would think they may be under attack also.  Perhaps that is
> the origin of the attack directed at bbnplanet?
>
> All feedback is welcome as I'm up against a steep learning curve here.
> Any ideas on how to filter the outgoing packets at least until I can
> find what is running and kill this?  *hint of desperation*
>
> GLB
>

The dest port is associated with Norton Corp Edition and the port that NavCE
Clients talk to a parent server.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600




More information about the list mailing list