Very Strange - TCP SWEEP Alerts / Inconsistent with traffic on system

Mailman List Mirror (Read Only)
1

Folks,
We have a strange situation occurring lately where we are getting some reports of TCP Sweeps from some one of our IP's, yet the IP is one of many specifically configured for inbound traffic and do not emit outbound traffic unless for response. Specifically, these are ddos mitigation IP's so they are attacked fairly frequently. With this in mind, the last few days one of the IP's being reported has been under constant attack.

Here is an example report we received from AT&T:
04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=23,dp=1024,min=212.1.185.6,max=212.1.191.127,Jun27-04:21:01,Jun27-04:29:26) (USI-amsxaid01)
04:29:27 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=3072,min=212.1.189.1,max=212.1.188.118,Jun27-04:21:15,Jun27-04:29:09) (USI-amsxaid01)
04:36:44 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=16,dp=1024,min=212.1.188.1,max=212.1.185.126,Jun27-04:29:51,Jun27-04:35:53) (USI-amsxaid01)
04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=25,dp=1024,min=212.1.190.11,max=212.1.189.120,Jun27-04:12:37,Jun27-04:20:40) (USI-amsxaid01)
04:20:47 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=18,dp=3072,min=212.1.189.3,max=212.1.186.118,Jun27-04:13:15,Jun27-04:20:37) (USI-amsxaid01)
04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=34,dp=1024,min=212.1.191.8,max=212.1.191.121,Jun27-03:56:28,Jun27-04:12:29) (USI-amsxaid01)
04:12:36 x.x.x.x 0.0.0.0 [TCP-SWEEP] (total=28,dp=3072,min=212.1.186.6,max=213.244.176.119,Jun27-03:56:48,Jun27-04:11:45) (USI-amsxaid01)

2

Hi Kevin,

Someone may want to throw RST traffic your way by spoofing their own
source (as you) and machine gunning TCP ACK or SYN packets to Internet
hosts such as this AT&T customer. Just a nice way of throwing traffic
at you in a fairly undetectable manner.

Just a guess,

-M

3

Thanks Matt,
That's what we believe we're seeing at this point but we're trying to convince our upstream. :slight_smile: We have seen this in the past but proving it is occurring seems to be the primary issue we're running into at this point.

-Kevin

4

This looks like the trademark signature of back scatter as a result of
someone using the juno.c or derivative code to SYN flood a host. You
are most likely getting this traffic from a host that is getting
attacked. In the junos.c code you'll see this:

     syn->sport = htons(1024 + (random() & 2048));

A random number is ANDed against 2048, the result is then added to
1024. What will be added is always either 0 or 2048, because 2048 has
only one bit set. 1024 + 2048 = 3072. Therefore, syn-sport will only
ever equal 1024 or 3072. Or in your case, it shows up as the dport on
the way back.

John