[Dshield] Odd traffic at home

John Sage jsage at finchhaven.com
Thu Jan 1 16:42:02 GMT 2004


On Tue, Dec 30, 2003 at 09:52:29PM -0600, Ronnie & Stacy Clark wrote:
> From: "Ronnie & Stacy Clark" <rsclark at kingwoodcable.net>
> To: "General DShield Discussion List" <list at dshield.org>
> Date: Tue, 30 Dec 2003 21:52:29 -0600
> Subject: [Dshield] Odd traffic at home
> 
> Hello all, 
> 
> I was checking my firewall logs tonight, and I see and upturn in the
> amount of SubSeven probes, the usual Nachia / Welchia pings, and the
> tons of NetBios stuff. But what caught my eye was the traffic coming
> from 127.0.0.1 to my outside interface. Anyone else seeing this kind
> of traffic? If anyone wants mre packet information, let me know, I am
> running Snort and have full packet captures.
> 
> Thanks,
> Ron Clark
> 
> 12/30-16:33:25.128018 127.0.0.1:80 -> 24.aaa.bbb.ccc:1777
> 12/30-16:46:08.980772 127.0.0.1:80 -> 24.aaa.bbb.ccc:1920
> 12/30-16:57:11.461502 127.0.0.1:80 -> 24.aaa.bbb.ccc:1306

/* snip */

The "how" of this is far less mysterious than the "what does this
accomplish".


The output from:

nmap -sS -O -g 80 -D127.0.0.1 192.168.1.6 

done on one of my boxes locally yeilds:

08:23:47.047218 127.0.0.1.80 > 192.168.1.6.5405: S
  387902155:387902155(0) win 3072 (ttl 38, id 12654)
08:23:47.047218 127.0.0.1.80 > 192.168.1.6.5405: S
  387902155:387902155(0) win 3072 (ttl 38, id 12654)
08:23:47.047250 192.168.1.6.5405 > 192.168.1.6.80: R 0:0(0) ack
  387902156 win 0 (DF) (ttl 64, id 0)
08:23:47.047250 192.168.1.6.5405 > 192.168.1.6.80: R 0:0(0) ack
  1 win 0 (DF) (ttl 64, id 0) 

/* snip */


-g 80 sets the source port; -D127.0.0.1 sets the decoy source IP
address.


Port 80 is a good candidate as a source port in that almost every/any
firewall in the universe will allow it, simply because of http traffic
(statefull versus stateless notwithstanding...).


The question is how the prober would receive any information back in
response; nmap suggests using a list of decoy addresses, thus adding
-D <decoy1 [,decoy2][,ME],...> where [ME] is an IP address accessible
to the prober.



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list