[unisog] Strange packets to random addresses in our network

Brian Eckman eckman at umn.edu
Mon Dec 29 15:34:39 GMT 2003


Russell,

Not much to add, as I pretty much came to the same conclusions as you. 
If their intent was malicious, I would think it would make more sense to 
fake Welchia/Nachi to get a list of who responds. Perhaps it is cheap 
advertising of their service?

I had first thought it might have fallout from a SYN Flood against them, 
but the packet has always been just an ACK and not a SYN ACK, which 
didn't make sense to me. Also, I'd say the TCP Option doesn't fit that 
scenario either. IIRC, the option is supposedly an MD5 checksum, and the 
packet checksum is always wrong. There also seem to be gaps where the 
activity stopped, as I saw none of this activity during a recent 5+ hour 
stretch.

We've seen tens of thousands of these packets (approximately 50,000) 
over the past week. The source is also 69.20.46.210:443. The destination 
is random, as it jumps all over the three class Bs that I watch. The 
destination port is also random. On the 50 packets I am looking at right 
now, the destination port ranges from 435-65310, with it never being the 
same twice (in the 50 packet sample).

A manual, legitimate connection to the Web server on that port results 
in a SYN ACK with no MD5 option and a correct checksum.

None of the packets have been solicited - it's not like a bunch of hosts 
on my network are communicating with 69.20.46.210:443. The flows are 
strictly one way, with the exception of a few RST type responses.

I gave up looking into it; have bigger fish to fry at the moment. Just 
wanted to send a personal "thanks" for notifing the proper abuse team.

Brian

Russell Fulton wrote:
> Hi All,
> 	Complements of the Season to All,  I have a holiday puzzle your you :)
> This is being sent to abuse at rackspace.com as well as the unisog mailing
> list.
> 
> About a week a go we started seeing a steady trickle (1100 over the last
> 3 days) of these packet hitting our network.  Source address is always
> the same (69.20.46.210) as is the source port (443) destination port and
> address appear to be random.
> 
> Below is snort capture of the one packet, note the options field which
> is why snort is flagging them:
> 
> Generated by ACID v0.9.6b23 on Mon, 29 Dec 2003 10:17:53 +1300
> 
> ------------------------------------------------------------------------------
> #(1 - 2685007) [2003-12-27 16:07:05] [snort/58]  snort_decoder: Experimental TCP options
> IPv4: 69.20.46.210 -> 130.216.161.170
>       hlen=5 TOS=0 dlen=60 ID=13798 flags=0 offset=0 TTL=49 chksum=47981
> TCP:  port=443 -> dport: 28276  flags=***A**** seq=891211357
>       ack=3550106095 off=10 res=0 win=0 urp=0 chksum=49663
>       Options:
>        #1 - 19 len=18 data=03FBE58DFD66F6502F45AEE88A22FDB0
>        #2 - EOL len=0
> Payload: none
> 
> Argus logs show a single ACK packet being sent to each dest address/port:
> 
> 29 Dec 03 08:09:19           tcp    69.20.46.210.443    ?>   130.216.185.103.58895 1        0         0            0           A_
> 29 Dec 03 08:15:23           tcp    69.20.46.210.443    ?>    130.216.31.103.13138 1        0         0            0           A_
> 29 Dec 03 08:23:48           tcp    69.20.46.210.443    ?>   130.216.246.115.24633 1        0         0            0           A_
> 29 Dec 03 08:25:28           tcp    69.20.46.210.443    ?>    130.216.231.37.37780 1        0         0            0           A_
> 29 Dec 03 08:25:34           tcp    69.20.46.210.443    ?>    130.216.93.189.47245 1        0         0            0           A_
> 29 Dec 03 08:26:29           tcp    69.20.46.210.443    ?>   130.216.103.224.64624 1        0         0            0           A_
> 29 Dec 03 08:29:00           tcp    69.20.46.210.443    ?>      130.216.9.91.25136 1        0         0            0           A_
> 29 Dec 03 08:30:10           tcp    69.20.46.210.443    ?>    130.216.31.121.7218  1        0         0            0           A_
> 29 Dec 03 08:39:24           tcp    69.20.46.210.443    ?>   130.216.137.107.39560 1        0         0            0           A_
> 29 Dec 03 08:40:03           tcp    69.20.46.210.443    ?>    130.216.33.121.20171 1        0         0            0           A_
> 29 Dec 03 08:41:03           tcp    69.20.46.210.443    ?>   130.216.207.216.54554 1        0         0            0           A_
> 29 Dec 03 08:41:56           tcp    69.20.46.210.443    ?>   130.216.251.145.44597 1        0         0            0           A_
> 29 Dec 03 08:43:17           tcp    69.20.46.210.443    ?>   130.216.129.208.48338 1        0         0            0           A_
> 29 Dec 03 08:44:04      I    tcp    69.20.46.210.443    ?>    130.216.38.111.4145  1        0         0            0           A_
> 
> There is no other traffic to or from our network involving  69.20.46.0/24.
> 
> I doubt if this is malicious, my first thought that it might be fall out
> from a DoS on 69.20.46.210 but it has been going on for a week now so
> that seems unlikely.
> 
> Any ideas?
> 
> Rackspace:  Would you please investigate this issue, as I said I don't
> think the traffic is malicious but your customer does appear to have
> problems of some kind.
> 


-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list