[Dshield] seemingly random (ACK+RST) packets from 64.164.160.154:80

Chris Brenton cbrenton at chrisbrenton.org
Wed Mar 24 17:16:54 GMT 2004


On Wed, 2004-03-24 at 11:13, j.travis wrote:
>
> I am getting these seemingly random ACK+RST packets

There is no such thing as random, only chaos. ;-)

> The thing is that this machine
> (adsl-64-164-160-154.dsl.lsan03.pacbell.net) belongs to my DSL provider
> (pacbell.net/SBC) so I am thinking there must be a logical explanation
> for this behavior.

Based on the name I would guess this is a Pacbell DSL client, not one of
Pacbell's systems.

> Mar 23 12:48:10 psinode kernel: WATCH! :IN=eth0 OUT=
> MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=64.164.160.154
> DST=64.164.208.163 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=39133 PROTO=TCP
> SPT=80 DPT=1084 WINDOW=0 RES=0x00 ACK RST URGP=0
> 
> Mar 23 12:51:19 psinode kernel: WATCH! :IN=eth0 OUT=
> MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=64.164.160.154
> DST=64.164.208.163 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=2513 PROTO=TCP
> SPT=80 DPT=1315 WINDOW=0 RES=0x00 ACK RST URGP=0
> 
> Mar 23 12:59:14 psinode kernel: WATCH! :IN=eth0 OUT=
> MAC=00:10:4b:c5:6b:65:00:10:67:00:b6:0e:08:00 SRC=64.164.160.154
> DST=64.164.208.163 LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=10381 PROTO=TCP
> SPT=80 DPT=1471 WINDOW=0 RES=0x00 ACK RST URGP=0

At first glance I would guess that someone is attempting to SYN flood
64.164.160.154 but just has not figured out that 80/TCP is not an open
port on that system.

A few things in the trace trouble me however. The TTL is 117, which
would imply a Windows box sitting 11 hops away from you. The IP ID's are
random however and every Windows OS I've ever looked at uses predictable
IP ID's (increments of +1, +2 and +256).

Do you only have 1 IP or multiple? If multiple, is this happening with
more than one of your IP addresses? 

Its not a sweep or a scan and the packets look pretty legit so I don't
think its a covert channel. The IP ID Vs. TTL thing bugs me though.

HTH,
Chris





More information about the list mailing list