[unisog] Interesting traffic

Harris, Michael C. harrismc at health.missouri.edu
Fri Feb 6 17:04:10 GMT 2004


We are seeing similar resets being blocked at our border but are seeing
IRC traffic to 207.38.8.36 peerchat.gamespy.com along with it to several
of the recipients of the resets.  A Technician has been dispatched to
investigate in detail, I will forward any details as we lay hands on the
internal machine and have something concrete to add.

Mike
System Security Analyst GSEC
University of Missouri health care

-----Original Message-----
From: Asadoorian, Paul D [mailto:Paul_Asadoorian at brown.edu] 
Sent: Friday, February 06, 2004 8:30 AM
To: unisog at sans.org
Subject: [unisog] Interesting traffic

This traffic started on my network on Feb. 2nd, at 7:00AM EST STD time.
They all originate from 202.109.129.203, all with a source port of 6667
TCP, the destination is my entire class B on TCP ports 1024 and 3072.
All packets are RST/ACK.  Anyone else seeing this IP hitting their
network?  Looks like someone is spoofing our address space, and I have
confirmed that at least one other University is seeing this.

Thanks,

Paul

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com 

Below are some sample packet captures:

08:18:33.311596 202.109.129.203.6667 > MY.SUB.NET.105.3072: R [tcp sum
ok]
0:0(0) ack 1430504790 win 0 (ttl 113, id 65266, len 40)
0x0000   4500 0028 fef2 0000 7106 09a7 ca6d 81cb        E..(....q....m..
0x0010   8094 7469 1a0b 0c00 0000 0000 5543 c556        ..ti........UC.V
0x0020   5014 0000 2df5 0000 0000 0000 0000             P...-.........
08:18:47.262891 202.109.129.203.6667 > MY.SUB.NET.120.3072: R [tcp sum
ok]
0:0(0) ack 721129229 win 0 (ttl 113, id 48858, len 40)
0x0000   4500 0028 beda 0000 7106 03b0 ca6d 81cb        E..(....q....m..
0x0010   8094 ba78 1a0b 0c00 0000 0000 2afb 8f0d        ...x........*...
0x0020   5014 0000 4877 0000 0000 0000 0000             P...Hw........
08:18:56.304529 202.109.129.203.6667 > MY.SUB.NET.79.3072: R [tcp sum
ok]
0:0(0) ack 1329354305 win 0 (ttl 113, id 32292, len 40)
0x0000   4500 0028 7e24 0000 7106 258f ca6d 81cb        E..(~$..q.%..m..
0x0010   8094 d94f 1a0b 0c00 0000 0000 4f3c 5641        ...O........O<VA
0x0020   5014 0000 3e2b 0000 0000 0000 0000             P...>+........
08:19:11.265863 202.109.129.203.6667 > MY.SUB.NET.94.1024: R [tcp sum
ok]
0:0(0) ack 2123187057 win 0 (ttl 113, id 25059, len 40)
0x0000   4500 0028 61e3 0000 7106 c4c1 ca6d 81cb        E..(a...q....m..
0x0010   8094 565e 1a0b 0400 0000 0000 7e8d 4371        ..V^........~.Cq
0x0020   5014 0000 ac9b 0000 0000 0000 0000             P.............
08:19:11.475469 202.109.129.203.6667 > MY.SUB.NET.31.1024: R [tcp sum
ok]
0:0(0) ack 878616853 win 0 (ttl 113, id 27716, len 40)
0x0000   4500 0028 6c44 0000 7106 359f ca6d 81cb        E..(lD..q.5..m..
0x0010   8094 db1f 1a0b 0400 0000 0000 345e a115        ............4^..
0x0020   5014 0000 1465 0000 0000 0000 0000             P....e........
08:19:12.953427 202.109.129.203.6667 > MY.SUB.NET.48.3072: R [tcp sum
ok]
0:0(0) ack 3339124750 win 0 (ttl 113, id 46208, len 40)
0x0000   4500 0028 b480 0000 7106 4852 ca6d 81cb        E..(....q.HR.m..
0x0010   8094 8030 1a0b 0c00 0000 0000 c707 000e        ...0............
0x0020   5014 0000 75b2 0000 0000 0000 0000             P...u.........
08:19:24.588327 202.109.129.203.6667 > MY.SUB.NET.110.3072: R [tcp sum
ok]
0:0(0) ack 190209852 win 0 (ttl 113, id 62626, len 40)
0x0000   4500 0028 f4a2 0000 7106 47f2 ca6d 81cb        E..(....q.G..m..
0x0010   8094 406e 1a0b 0c00 0000 0000 0b56 5f3c        .. at n.........V_<
0x0020   5014 0000 11f8 0000 0000 0000 0000             P.............
08:19:27.530541 202.109.129.203.6667 > MY.SUB.NET.61.1024: R [tcp sum
ok]
0:0(0) ack 3262217088 win 0 (ttl 113, id 34348, len 40)
0x0000   4500 0028 862c 0000 7106 cc99 ca6d 81cb        E..(.,..q....m..
0x0010   8094 2a3d 1a0b 0400 0000 0000 c271 7b80        ..*=.........q{.
0x0020   5014 0000 5cc9 0000 0000 0000 0000             P...\.........




More information about the unisog mailing list