[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Botnet attack? [was: Re: Declining traffic]

To: or-talk@xxxxxxxxxxxxx
Subject: Re: Botnet attack? [was: Re: Declining traffic]
From: Hans Schnehl <torvallenator@xxxxxxxxx>
Date: Tue, 27 Apr 2010 13:07:24 +0200
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 27 Apr 2010 07:07:52 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=ZqcoHVQsXGDGdKZKzwkVB9ienE79Mrryx04Hm2iUeiI=; b=DFVUMY6RKIeJMAbEiISUrpPh7D63mxbDBTJ50DyvP0u439a72nj8Ct+Ah1XldGQy1K TU9sthjq7tewYyzExqnuFImsVLNKVAO4WvaWPb8MEj5JYNn00ssWOhHR9BX5tH78g61M Gb4MxmcguRYOchDCrpiCgJB7SYNefq2rmW5Dg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=ewBE/1ruxbwf2NO47wwbIu7mXb8cpoBeQ91TyHmNwuXpDnvI+x6vhzS2d8K/ngNWpv J1p78BGj886QFHEPP4DQtn4Pm59gizPJ83/FrD3EBhTSFrA5GPUqv8wgnyt1diGs5pXA YUvkNrSPPhgTmgPycudTQmgk/fA8X5fRIvHew=
In-reply-to: <201004270635.o3R6ZKIO008515@xxxxxxxxxxxxx>
References: <201004270635.o3R6ZKIO008515@xxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.19 (2009-01-05)

On Tue, Apr 27, 2010 at 01:35:20AM -0500, Scott Bennett wrote:
>      On Mon, 26 Apr 2010 13:36:17 -0400 Flamsmark <flamsmark@xxxxxxxxx>
> wrote:
> >On 26 April 2010 09:59, Timo Schoeler <timo.schoeler@xxxxxxxxxxxxx> wrote:
> >
> >> (Deutsche Telekom AG). For me it really seems as there's some kind of
> >> botnet attack going on.
> >>
> >
> >
> >What makes you think that this is a botnet attack? What are the
> >characteristics of a botnet attack, and how do these logs exhibit them? If
>
someone playing around, it's rather background noise...  relax, guys ;)

>      What my system logged over a two- to three-hour period was a very high
> rate of illicit connection attempts being logged, a rate much higher that
> usual and for an extended period of time.  Some of the connection attempts
> involved only one or two tries for a single port number.  However, consider
> another type that also occurred frequently during that time span.  That
> other type looked more like an individual attack that came in this evening:

[snip]

> 
> 2010-04-26 23:38:20.086026 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3422 > 24.1.225.89.8080:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2010-04-26 23:38:20.990386 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3416 > 24.1.225.89.8000:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2010-04-26 23:38:25.214087 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3419 > 24.1.225.89.8001:  tcp 16 [bad hdr length 12 - too short, < 20]
> 2010-04-26 23:38:26.122380 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3422 > 24.1.225.89.8080:  tcp 16 [bad hdr length 12 - too short, < 20]
> 

[lot's of snip]

There was a scan. yes. Happens.
But these -> [bad hdr length 12 - too short, < 20] <- are *NOT* a
maliciuos attempt of something but rather a matte ofr tcpdump running against
a pflog* interface. There are different expectations about the snaplen ,
so if increasse the snaplen to sth. higher than 68 bytes the message will
disappear, it is rather harmless.

PLease see man tcpdump 

[quote]
TCP Packets
[snip]

If  the  snapshot was small enough that tcpdump didn't capture the full
TCP header, it interprets as much of the header  as  it  can  and  then
reports  ``[|tcp]'' to indicate the remainder could not be interpreted.
If the header contains a bogus option (one with a length that's  either
too  small  or  beyond  the  end  of the header), tcpdump reports it as
``[bad opt]'' and does not interpret any further  options  (since  it's
impossible  to  tell where they start).  If the header length indicates
options are present but the IP datagram length is not long  enough  for
the  options  to  actually  be  there, tcpdump reports it as ``[bad hdr
length]''.

[/quote]

on my bsd's a snaplen on 104 is sufficient, but you might try  256 or find
the appropriate value by checking it.

tcpdump ${wtf} -s 104 -i pflog*       

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/

References:
- Re: Botnet attack? [was: Re: Declining traffic]
  - From: Scott Bennett

Prev by Author: Re: Consider traffic before setting AccountingStart in the middle of an accounting period.
Next by Author: Re: Firefox configurations for tor with Mac ppc
Previous by thread: Re: Botnet attack? [was: Re: Declining traffic]
Next by thread: Re: Botnet attack? [was: Re: Declining traffic]
Index(es):
- Author
- Thread