What do you make of these?

Ramin Alidousti ramin@cannon.eng.us.uu.net
Fri, 20 Jul 2001 09:37:45 -0400 

On Thu, Jul 19, 2001 at 10:18:50PM -0400, Charles Stack wrote:

> For starters, 209.92.37.194 is host's IP.  This address is NATTED.  These
> logs show what is about to be dropped that wasn't dropped in my normal rules
> on machine 1.

What I see here is:

> 
> Jul 19 22:09:52 athena kernel: IPT DROPPED: IN=lo OUT=
                                              ^^^^^
this packet is coming in through your loopback.

> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=209.92.37.194

that's why the MAC is all zero's.

> DST=209.179.198.73 LEN=106 TOS=0x00 PREC=0xC0 TTL=255 ID=31355 PROTO=ICMP
                                                                 ^^^^^^^^^^
you're sending him an icmp, telling him that the host (network-int.codycomp.com)
was unreachable.

> TYPE=3 CODE=1 [SRC=209.179.198.73 DST=209.92.37.224 LEN=78 TOS=0x00
  ^^^^^^ ^^^^^^  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the original packet was SRC=209.179.198.73 DST=209.92.37.224

> PREC=0x00 TTL=114 ID=29503 PROTO=UDP SPT=137 DPT=137 LEN=58 ]
                                   ^^^     ^^^     ^^^
and it was udp for the service "samba".

> Jul 19 22:09:52 athena kernel: IPT DROPPED: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=209.92.37.194
> DST=209.179.198.73 LEN=106 TOS=0x00 PREC=0xC0 TTL=255 ID=31356 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=209.179.198.73 DST=209.92.37.224 LEN=78 TOS=0x00
> PREC=0x00 TTL=114 ID=29247 PROTO=UDP SPT=137 DPT=137 LEN=58 ]
> Jul 19 22:09:52 athena kernel: IPT DROPPED: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=209.92.37.194
> DST=209.179.198.73 LEN=106 TOS=0x00 PREC=0xC0 TTL=255 ID=31357 PROTO=ICMP
> TYPE=3 CODE=1 [SRC=209.179.198.73 DST=209.92.37.224 LEN=78 TOS=0x00
> PREC=0x00 TTL=114 ID=28991 PROTO=UDP SPT=137 DPT=137 LEN=58 ]
> 
> 
> These logs are from a machine in my DMZ.
> 
> Jul 19 21:47:58 stargate kernel: IPT DROPPED: IN=eth0 OUT=
> MAC=00:a0:cc:27:13:fd:00:50:04:ba:30:f1:08:00 SRC=208.186.102.27
> DST=172.16.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=36938 DF PROTO=TCP
> SPT=4664 DPT=515 WINDOW=32120 RES=0x00 SYN URGP=0
> Jul 19 21:48:01 stargate kernel: IPT DROPPED: IN=eth0 OUT=
> MAC=00:a0:cc:27:13:fd:00:50:04:ba:30:f1:08:00 SRC=208.186.102.27
> DST=172.16.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=44 ID=38555 DF PROTO=TCP
> SPT=4664 DPT=515 WINDOW=32120 RES=0x00 SYN URGP=0
> 
> >From what I can tell, the guy in the first scan was trying REAL hard to mask
> himself while checking to see if I was running Windows (look at his MAC).

An attacker who is many hops away cannot fake his MAC (look at the TTL).

> 
> Second guy just looks like somebody doing a port scan.  Does anyone have an
> idea what he might be looking for on TCP:515?

It's "printer" service. How do you conclude that it was a port scan?


Both these cases could be due to misconf on their windoze PC. But
again, it might also be a very naive attack.

Ramin

> 
> When rate limiting logging, what options work best to show bad guys while
> not filling up one's logs.
> 
> Charles
>