[Dshield] Odd traffic at home

John Sage jsage at finchhaven.com
Thu Jan 1 16:42:02 GMT 2004

On Tue, Dec 30, 2003 at 09:52:29PM -0600, Ronnie & Stacy Clark wrote:
> From: "Ronnie & Stacy Clark" <rsclark at kingwoodcable.net>
> To: "General DShield Discussion List" <list at dshield.org>
> Date: Tue, 30 Dec 2003 21:52:29 -0600
> Subject: [Dshield] Odd traffic at home
> Hello all, 
> I was checking my firewall logs tonight, and I see and upturn in the
> amount of SubSeven probes, the usual Nachia / Welchia pings, and the
> tons of NetBios stuff. But what caught my eye was the traffic coming
> from to my outside interface. Anyone else seeing this kind
> of traffic? If anyone wants mre packet information, let me know, I am
> running Snort and have full packet captures.
> Thanks,
> Ron Clark
> 12/30-16:33:25.128018 -> 24.aaa.bbb.ccc:1777
> 12/30-16:46:08.980772 -> 24.aaa.bbb.ccc:1920
> 12/30-16:57:11.461502 -> 24.aaa.bbb.ccc:1306

/* snip */

The "how" of this is far less mysterious than the "what does this

The output from:

nmap -sS -O -g 80 -D127.0.0.1 

done on one of my boxes locally yeilds:

08:23:47.047218 > S
  387902155:387902155(0) win 3072 (ttl 38, id 12654)
08:23:47.047218 > S
  387902155:387902155(0) win 3072 (ttl 38, id 12654)
08:23:47.047250 > R 0:0(0) ack
  387902156 win 0 (DF) (ttl 64, id 0)
08:23:47.047250 > R 0:0(0) ack
  1 win 0 (DF) (ttl 64, id 0) 

/* snip */

-g 80 sets the source port; -D127.0.0.1 sets the decoy source IP

Port 80 is a good candidate as a source port in that almost every/any
firewall in the universe will allow it, simply because of http traffic
(statefull versus stateless notwithstanding...).

The question is how the prober would receive any information back in
response; nmap suggests using a list of decoy addresses, thus adding
-D <decoy1 [,decoy2][,ME],...> where [ME] is an IP address accessible
to the prober.

- John
"Mad cow? You'd be mad too, if someone was trying to eat you."
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list