Strange packets to random addresses in our network

Russell Fulton r.fulton at auckland.ac.nz
Sun Dec 28 21:46:53 GMT 2003


Hi All,
	Complements of the Season to All,  I have a holiday puzzle your you :)
This is being sent to abuse at rackspace.com as well as the unisog mailing
list.

About a week a go we started seeing a steady trickle (1100 over the last
3 days) of these packet hitting our network.  Source address is always
the same (69.20.46.210) as is the source port (443) destination port and
address appear to be random.

Below is snort capture of the one packet, note the options field which
is why snort is flagging them:

Generated by ACID v0.9.6b23 on Mon, 29 Dec 2003 10:17:53 +1300

------------------------------------------------------------------------------
#(1 - 2685007) [2003-12-27 16:07:05] [snort/58]  snort_decoder: Experimental TCP options
IPv4: 69.20.46.210 -> 130.216.161.170
      hlen=5 TOS=0 dlen=60 ID=13798 flags=0 offset=0 TTL=49 chksum=47981
TCP:  port=443 -> dport: 28276  flags=***A**** seq=891211357
      ack=3550106095 off=10 res=0 win=0 urp=0 chksum=49663
      Options:
       #1 - 19 len=18 data=03FBE58DFD66F6502F45AEE88A22FDB0
       #2 - EOL len=0
Payload: none

Argus logs show a single ACK packet being sent to each dest address/port:

29 Dec 03 08:09:19           tcp    69.20.46.210.443    ?>   130.216.185.103.58895 1        0         0            0           A_
29 Dec 03 08:15:23           tcp    69.20.46.210.443    ?>    130.216.31.103.13138 1        0         0            0           A_
29 Dec 03 08:23:48           tcp    69.20.46.210.443    ?>   130.216.246.115.24633 1        0         0            0           A_
29 Dec 03 08:25:28           tcp    69.20.46.210.443    ?>    130.216.231.37.37780 1        0         0            0           A_
29 Dec 03 08:25:34           tcp    69.20.46.210.443    ?>    130.216.93.189.47245 1        0         0            0           A_
29 Dec 03 08:26:29           tcp    69.20.46.210.443    ?>   130.216.103.224.64624 1        0         0            0           A_
29 Dec 03 08:29:00           tcp    69.20.46.210.443    ?>      130.216.9.91.25136 1        0         0            0           A_
29 Dec 03 08:30:10           tcp    69.20.46.210.443    ?>    130.216.31.121.7218  1        0         0            0           A_
29 Dec 03 08:39:24           tcp    69.20.46.210.443    ?>   130.216.137.107.39560 1        0         0            0           A_
29 Dec 03 08:40:03           tcp    69.20.46.210.443    ?>    130.216.33.121.20171 1        0         0            0           A_
29 Dec 03 08:41:03           tcp    69.20.46.210.443    ?>   130.216.207.216.54554 1        0         0            0           A_
29 Dec 03 08:41:56           tcp    69.20.46.210.443    ?>   130.216.251.145.44597 1        0         0            0           A_
29 Dec 03 08:43:17           tcp    69.20.46.210.443    ?>   130.216.129.208.48338 1        0         0            0           A_
29 Dec 03 08:44:04      I    tcp    69.20.46.210.443    ?>    130.216.38.111.4145  1        0         0            0           A_

There is no other traffic to or from our network involving  69.20.46.0/24.

I doubt if this is malicious, my first thought that it might be fall out
from a DoS on 69.20.46.210 but it has been going on for a week now so
that seems unlikely.

Any ideas?

Rackspace:  Would you please investigate this issue, as I said I don't
think the traffic is malicious but your customer does appear to have
problems of some kind.

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!




More information about the unisog mailing list