[Dshield] DDOS packet signature?

TRushing@hollandco.com TRushing at hollandco.com
Wed Aug 10 02:54:26 GMT 2005


Following up on my two odd packets, I've gone back through my logs and my 
box, and I do not think it is something on my box.  I think I'm seeing 
crafted packets, but I'm not sure to what purpose.

I am seeing an odd pattern of packets from a number of different sources. 
The two I posted earlier were from theplanet.com ip addresses, but most 
earlier ones were from ev1.net addresses with a few others tossed in the 
mix.

My linux pppoe flagged every one as having a bad tcp checksum.  Every one 
has a ip ID of 766.  That combined with the bad checksum indicates a 
(poorly) crafted packet.  Every packet had SYN/ACK flags.

Destination port on my machine was always either 1024 or 3072.  Source 
ports were 22, 53, 80, 6667 and 6668.

Picking an ev1.net machine that came back repeatedly on 24 to 25 July, I 
notice that dshield currently shows 

Total Records against IP: 110232
Number of targets:        57979
Date Range:               2005-07-24 to 2005-07-26

and a series of packets from port 80 to port 1024 or port 3072.  (The 
dshield records are not showing any port 53 attempts in the first few 
pages of records.)

http://www.dshield.org/ipdetails.php?ip=067.015.021.103

If the December 2000 discussion was correct and those packets were a part 
of a DDOS, then it seems likely that is what I am seeing here.  Someone is 
spoofing packets to get me and others to issue a RST back at the DDOS 
target.  However, I'm not seeing many packets like that.

If it is DDOS, then the ID 776, target port 1024 or 3072, and bad TCP 
checksum should make them pretty easy to identify in real time.  Given 
that the checksum is bad, I'm not sure I really want to run a packet 
capture, though if anyone else does and captures some of these, I'd be 
curious if you find anything.

Logs follow.  I have a /29 from SBC DSL that goes from a.b.c.72 to 
a.b.c.79.  Technically 79 would be the broadcast address, but all 8 ips 
are grabbed by one box and NAT'd accordingly.  76 is a webserver and under 
normal circumstances most outbound packets originating from me would go 
out 78.  They did not hit every IP address.  Curiosly, they did not hit a 
mail server at 75.

Aug  8 20:37:57 asgard pppoe[2977]: Bad TCP checksum 6a38
Aug  8 20:37:57 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.19.235.228 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=6667 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Aug  8 20:38:37 asgard pppoe[2977]: Bad TCP checksum a9c0
Aug  8 20:38:37 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.19.235.228 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Aug  4 01:17:37 asgard pppoe[19847]: Bad TCP checksum f646
Aug  4 01:17:37 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=207.44.226.28 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=22 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Aug  4 03:20:33 asgard pppoe[19847]: Bad TCP checksum d94e
Aug  4 03:20:33 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=207.44.234.18 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=53 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 21:07:35 asgard pppoe[1818]: Bad TCP checksum 7bbb
Jul 24 21:07:35 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.77 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 21:17:17 asgard pppoe[1818]: Bad TCP checksum aa0
Jul 24 21:17:17 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:06:59 asgard pppoe[1818]: Bad TCP checksum 3927
Jul 24 23:06:59 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:07:14 asgard pppoe[1818]: Bad TCP checksum 3927
Jul 24 23:07:14 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=53 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:17:47 asgard pppoe[1818]: Bad TCP checksum 8dfa
Jul 24 23:17:47 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=53 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:17:48 asgard pppoe[1818]: Bad TCP checksum 8dfa
Jul 24 23:17:48 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:23:52 asgard pppoe[1818]: Bad TCP checksum fb77
Jul 24 23:23:52 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.77 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=53 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:23:53 asgard pppoe[1818]: Bad TCP checksum fb77
Jul 24 23:23:53 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.77 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:53:08 asgard pppoe[1818]: Bad TCP checksum 8fda
Jul 24 23:53:08 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=53 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 23:53:16 asgard pppoe[1818]: Bad TCP checksum 8fda
Jul 24 23:53:16 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 00:49:25 asgard pppoe[1818]: Bad TCP checksum 7532
Jul 25 00:49:25 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=766 DF 
PROTO=TCP SPT=53 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 00:49:29 asgard pppoe[1818]: Bad TCP checksum 7532
Jul 25 00:49:29 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 02:10:26 asgard pppoe[1818]: Bad TCP checksum e0f8
Jul 25 02:10:26 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=53 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 02:10:38 asgard pppoe[1818]: Bad TCP checksum e0f8
Jul 25 02:10:38 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 08:02:47 asgard pppoe[1818]: Bad TCP checksum 8962
Jul 25 08:02:47 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.73 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 11:15:37 asgard pppoe[1818]: Bad TCP checksum 124d
Jul 25 11:15:37 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 25 12:32:56 asgard pppoe[1818]: Bad TCP checksum 8c2b
Jul 25 12:32:56 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=67.15.21.103 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 18 04:42:24 asgard pppoe[29101]: Bad TCP checksum f27f
Jul 18 04:42:24 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=66.98.160.157 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=766 DF 
PROTO=TCP SPT=53 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 00:33:48 asgard pppoe[1818]: Bad TCP checksum b1e
Jul 24 00:33:48 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=66.98.160.156 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=80 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 24 00:36:56 asgard pppoe[1818]: Bad TCP checksum 23ac
Jul 24 00:36:56 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=66.98.160.156 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=105 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 11 17:21:28 asgard pppoe[20070]: Bad TCP checksum d258
Jul 11 17:21:28 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=64.246.36.74 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=6668 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 11 18:57:41 asgard pppoe[20070]: Bad TCP checksum 2c18
Jul 11 18:57:41 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=64.246.36.74 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=766 DF 
PROTO=TCP SPT=6668 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 12 11:30:23 asgard pppoe[30631]: Bad TCP checksum f767
Jul 12 11:30:23 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=64.246.0.103 DST=a.b.c.72 LEN=48 TOS=0x00 PREC=0x00 TTL=99 ID=766 DF 
PROTO=TCP SPT=22 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 12 11:35:47 asgard pppoe[30631]: Bad TCP checksum 161e
Jul 12 11:35:47 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=64.246.0.103 DST=a.b.c.79 LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=766 DF 
PROTO=TCP SPT=22 DPT=3072 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 12 11:55:35 asgard pppoe[30631]: Bad TCP checksum c2e9
Jul 12 11:55:35 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=64.246.0.103 DST=a.b.c.76 LEN=48 TOS=0x00 PREC=0x00 TTL=101 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 
Jul 12 12:08:48 asgard pppoe[30631]: Bad TCP checksum 608f
Jul 12 12:08:48 asgard kernel: IPT INPUT packet died: IN=ppp0 OUT= MAC= 
SRC=64.246.0.103 DST=a.b.c.78 LEN=48 TOS=0x00 PREC=0x00 TTL=99 ID=766 DF 
PROTO=TCP SPT=80 DPT=1024 WINDOW=8192 RES=0x00 ACK SYN URGP=0 


More information about the list mailing list