[Dshield] Odd firewall entry: syn/ack from nameserver on irc port

TRushing@hollandco.com TRushing at hollandco.com
Tue Aug 9 16:46:56 GMT 2005


These two entries in my firewall were somewhat alarming because the 
SYN/ACK would seem to imply that my machine was making an outbound 
connection to an irc channel and to a website.

Aug  8 20:37:57 asgard pppoe[2977]: Bad TCP checksum 6a38
Aug  8 20:37:57 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.19.235.228 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=6667 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Aug  8 20:38:37 asgard pppoe[2977]: Bad TCP checksum a9c0
Aug  8 20:38:37 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.19.235.228 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 

However, when I look at the dshield port report for 67.19.235.228, I see 
that there are a ton of records with a source port of 6667 and destination 
ports of 1024 and 3072.  Presumably any reports coming in to dshield with 
a source port of 80 have been dropped.

67.19.235.228 is listed as ns2.1site.net and responds to dns queries for 
1site.net.  However, ns2.1site.net is listed as 67.19.209.106.

67.19.235.228 is listed as a nameserver.  The really odd thing about my ip 
is that it would not be the one used for outbound traffic.  I have 8 
statics on a home dsl account.  The IP listed is for a webserver.  Other 
firewall rules should have forced a different IP if it were my machine 
doing the outbound attempt. 

I'm seeing nothing else in the logs anywhere  (Though, of course, if I 
have been owned, then the logs are unreliable.)  There was no activity on 
the webserver before or after that for some time.  The webserver has no 
active content--just a few static pages. 

It's odd that pppoe lists a bad TCP checksum for each packet and that each 
packed had the same ID.  Dshield shows activity to destination ports 1024 
and 3072.  The incidents list noted similar activity in Dec 2000 (see 
http://seclists.org/lists/incidents/2000/Dec/0166.html ) that turned out 
to be cruft from a DDOS attack on the dal.net IRC servers:

>
>We've been seeing lots of scans of ip's in our address space with the 
>destination ports of 1024 and 3072. They are always paired like that, 
>although they don't hit the same ip on both ports, as far as I can tell. 
>The source ports are most often typical irc server ports (6667 and 6668) 
>but sometimes they sourced from ports 80 and 7325. 
>

Could this be the same DDOS tool 5 years later?  It's using the same 
destination ports and possibly the same source ports.  If so, why the bad 
checksum? 

Or, should I make a much more involved search of my box?

          ---Tim Rushing


More information about the list mailing list