Weird network activity (Stealth packets) ... what to do?

[Durandal]

Someone's taken to hitting my machine with Stealth packets and packets with bad TCP lengths, or so Snort is reporting. Could someone enlighten me as to what this means? Here are two sample log entries.

Code: Select all

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
04/11-05:03:05.932299 81.72.19.237:3456 -> 10.42.8.170:59454
TCP TTL:106 TOS:0x0 ID:28821 IpLen:20 DgmLen:40 DF
***A*R*F Seq: 0x0  Ack: 0x346134C0  Win: 0x0  TcpLen: 20

and

Code: Select all

[**] [116:54:1] (snort_decoder): Tcp Options found with bad lengths [**]
04/13-12:48:55.592189 80.194.57.119:0 -> 10.42.8.170:0
TCP TTL:43 TOS:0x0 ID:57632 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x89A4F91F  Ack: 0xA18B0750  Win: 0xC330  TcpLen: 32

Somehow, this guy is targeting my LAN address from outside my LAN. I'm on my school's network, and everyone has a LAN IP, but there is only one external IP. This activity has been going on for a few days, a couple of times a day. What is this guy trying to pull, and how should I go about averting it?

[Faram]

Okay I am out of shape in protocol analysys but i'll give it a shot.


"04/11-05:03:05.932299" = Timestamp

81.72.19.237:3456 = Source IP / Port

10.42.8.170:59454 = Destination IP / Port

TCP = Protocol

TTL:106 = Time To Live. This one is malformed normal is ttl=30

TOS:0x0 ID:28821= Type Of Service (NetBios if i member right)

IpLen:20 = the IP header length

DgmLen:40 DF = total packet length as seen by the IP layer

Hope this helps

***A*R*F Seq: 0x0 Ack: 0x346134C0 Win: 0x0 TcpLen: 20

[Faram]

Blah I am out of shape.

Ahh well check this out.

http://www.sans.org/resources/tcpip.pdf

Great stuff for tcp/ip have some intresting stuff in my comp.

PM me if you vant me to mail those pdf's to you

[Pu-239]

Okay I am out of shape in protocol analysys but i'll give it a shot.


"04/11-05:03:05.932299" = Timestamp

81.72.19.237:3456 = Source IP / Port

10.42.8.170:59454 = Destination IP / Port

TCP = Protocol

TTL:106 = Time To Live. This one is malformed normal is ttl=30

TOS:0x0 ID:28821= Type Of Service (NetBios if i member right)

IpLen:20 = the IP header length

DgmLen:40 DF = total packet length as seen by the IP layer

Hope this helps

***A*R*F Seq: 0x0 Ack: 0x346134C0 Win: 0x0 TcpLen: 20

Where do you learn this stuff? Any online resources?

[Faram]

Where do you learn this stuff? Any online resources?

Look at my profile I work with this shit

Anyways for a good start into tcp/ip check out sans

www.sans.org

[Darth Wong]

Somehow, this guy is targeting my LAN address from outside my LAN. I'm on my school's network, and everyone has a LAN IP, but there is only one external IP.

On a network address translation network, an attacker shouldn't be able to address an individual machine on the inside unless:

A) He's compromised the router somehow.
B) Your machine is connecting out. Maybe you have a trojan or spyware installed.
C) He's on the inside and he's IP-spoofing to make it look like it's coming from outside.

[Exonerate]

This is just a guess, but I think I recall some method of doing some scanning of computers behind a firewall by fixing the TTL so that it would expire right after the firewall. Try http://www.packetfactory.net/firewalk/ for more information.

Of course, you could ask Ein, since he's supposed to be acknowledable in this area.

[Durandal]

On a network address translation network, an attacker shouldn't be able to address an individual machine on the inside unless:

A) He's compromised the router somehow.

Possible. Our school does allow VPN access. All he needs to do is trick one student or faculty member into telling him his password. The login can be obtained by a simple LDAP seach, and our LDAP server is publicly accessible.

B) Your machine is connecting out. Maybe you have a trojan or spyware installed.

I'll check my network activity, but such a trojan would have to compile and run on Mac OS X. What's a good GPL utility for checking this out? I've been having some trouble getting ntop to work correctly.

C) He's on the inside and he's IP-spoofing to make it look like it's coming from outside.

I guess that's also possible. I'll have to check and see if similar packets come from different addresses.

[Durandal]

Well, I just ran netstat ...
Apparently, I have an http connection to 64.246.34.100 on my local port 51632. It has no lookup name, but putting it in my address bar takes me to the Georgia Tech Society of Black Engineers ... what the fuck?

[TrailerParkJawa]

Well, I just ran netstat ...
Apparently, I have an http connection to 64.246.34.100 on my local port 51632. It has no lookup name, but putting it in my address bar takes me to the Georgia Tech Society of Black Engineers ... what the fuck?

That server is running apache of some sorts. Dunno how its connected to you though.