[unisog] Strange packets to random addresses in our network

Peter Van Epp vanepp at sfu.ca
Mon Dec 29 02:24:03 GMT 2003


	Once I looked I'm seeing them too. They are hitting pretty much all the
ranges we own (a B and a number of Cs) so I expect its hitting the whole net
more or less at random. I've seen 5 hits in the last 10 minutes and many more
when I scanned the log from 06:30 this morning.

28 Dec 03 18:00:29    tcp    69.20.46.210.443    ?>      206.12.30.22.13754 1        0         74           0           TIM
28 Dec 03 18:00:53    tcp    69.20.46.210.443    ?>     142.58.248.87.26500 1        0         74           0           TIM
28 Dec 03 18:05:38    tcp    69.20.46.210.443    ?>     142.58.44.108.38322 1        0         74           0           TIM
28 Dec 03 18:07:17    tcp    69.20.46.210.443    ?>     142.58.197.19.58966 1        0         74           0           TIM
28 Dec 03 18:18:20    tcp    69.20.46.210.443    ?>    142.58.188.136.26357 1        0         74           0           TIM

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada



On Mon, Dec 29, 2003 at 10:46:53AM +1300, Russell Fulton wrote:
> Hi All,
> 	Complements of the Season to All,  I have a holiday puzzle your you :)
> This is being sent to abuse at rackspace.com as well as the unisog mailing
> list.
> 
> About a week a go we started seeing a steady trickle (1100 over the last
> 3 days) of these packet hitting our network.  Source address is always
> the same (69.20.46.210) as is the source port (443) destination port and
> address appear to be random.
> 
> Below is snort capture of the one packet, note the options field which
> is why snort is flagging them:
> 
> Generated by ACID v0.9.6b23 on Mon, 29 Dec 2003 10:17:53 +1300
> 
> ------------------------------------------------------------------------------
> #(1 - 2685007) [2003-12-27 16:07:05] [snort/58]  snort_decoder: Experimental TCP options
> IPv4: 69.20.46.210 -> 130.216.161.170
>       hlen=5 TOS=0 dlen=60 ID=13798 flags=0 offset=0 TTL=49 chksum=47981
> TCP:  port=443 -> dport: 28276  flags=***A**** seq=891211357
>       ack=3550106095 off=10 res=0 win=0 urp=0 chksum=49663
>       Options:
>        #1 - 19 len=18 data=03FBE58DFD66F6502F45AEE88A22FDB0
>        #2 - EOL len=0
> Payload: none
> 
> Argus logs show a single ACK packet being sent to each dest address/port:
> 
> 29 Dec 03 08:09:19           tcp    69.20.46.210.443    ?>   130.216.185.103.58895 1        0         0            0           A_
> 29 Dec 03 08:15:23           tcp    69.20.46.210.443    ?>    130.216.31.103.13138 1        0         0            0           A_
> 29 Dec 03 08:23:48           tcp    69.20.46.210.443    ?>   130.216.246.115.24633 1        0         0            0           A_
> 29 Dec 03 08:25:28           tcp    69.20.46.210.443    ?>    130.216.231.37.37780 1        0         0            0           A_
> 29 Dec 03 08:25:34           tcp    69.20.46.210.443    ?>    130.216.93.189.47245 1        0         0            0           A_
> 29 Dec 03 08:26:29           tcp    69.20.46.210.443    ?>   130.216.103.224.64624 1        0         0            0           A_
> 29 Dec 03 08:29:00           tcp    69.20.46.210.443    ?>      130.216.9.91.25136 1        0         0            0           A_
> 29 Dec 03 08:30:10           tcp    69.20.46.210.443    ?>    130.216.31.121.7218  1        0         0            0           A_
> 29 Dec 03 08:39:24           tcp    69.20.46.210.443    ?>   130.216.137.107.39560 1        0         0            0           A_
> 29 Dec 03 08:40:03           tcp    69.20.46.210.443    ?>    130.216.33.121.20171 1        0         0            0           A_
> 29 Dec 03 08:41:03           tcp    69.20.46.210.443    ?>   130.216.207.216.54554 1        0         0            0           A_
> 29 Dec 03 08:41:56           tcp    69.20.46.210.443    ?>   130.216.251.145.44597 1        0         0            0           A_
> 29 Dec 03 08:43:17           tcp    69.20.46.210.443    ?>   130.216.129.208.48338 1        0         0            0           A_
> 29 Dec 03 08:44:04      I    tcp    69.20.46.210.443    ?>    130.216.38.111.4145  1        0         0            0           A_
> 
> There is no other traffic to or from our network involving  69.20.46.0/24.
> 
> I doubt if this is malicious, my first thought that it might be fall out
> from a DoS on 69.20.46.210 but it has been going on for a week now so
> that seems unlikely.
> 
> Any ideas?
> 
> Rackspace:  Would you please investigate this issue, as I said I don't
> think the traffic is malicious but your customer does appear to have
> problems of some kind.
> 
> -- 
> Russell Fulton                                    /~\  The ASCII
> Network Security Officer                          \ /  Ribbon Campaign
> The University of Auckland                         X   Against HTML
> New Zealand                                       / \  Email!
> 



More information about the unisog mailing list