[Snort-users] Anyone Else seen this weird traffic from aol?

Bill Pennington billp at ...60...
Fri Aug 11 19:28:37 EDT 2000


Well that source IP is just one of AOLs web servers. Maybe they are
doing some kind of fingerprinting of clients visiting there site? I mean
they did intentionly put a buffer overflow in there IM client if I
recall correctly. 

Reserved packets are most often used for fingerprinting OSs if I recall
correctly. It has been a long week and my brain is pretty shot right
now...

So I would guess they are fingerprinting clients.

Thayne wrote:
> 
> Hi,
> 
> Thanks for your reply.  The IPs on our side are all clients.  The source
> port is always 80, and the destination ports vary.  I wrote a snort rule to
> pick up the offending packets, and found that they actually have no payload.
> Here is the dump from the previous alerts:
> 
> [**] AOL Mangled Packets [**]
> 08/09-10:10:18.368112 205.188.160.121:80 -> our.net.work.xx:1321
> TCP TTL:54 TOS:0x0 ID:36767  DF
> *1**R*** Seq: 0x61DBE26A   Ack: 0x0   Win: 0x0
> 
> [**] AOL Mangled Packets [**]
> 08/09-10:10:18.580516 205.188.160.121:80 -> our.net.work.xx:1322
> TCP TTL:54 TOS:0x0 ID:36776  DF
> *1**R*** Seq: 0x325B2467   Ack: 0x0   Win: 0x0
> 
> [**] AOL Mangled Packets [**]
> 08/09-10:10:20.336619 205.188.160.121:80 -> our.net.work.xx:1323
> TCP TTL:54 TOS:0x0 ID:36825  DF
> *1**R*** Seq: 0x692A18FC   Ack: 0x0   Win: 0x0
> 
> Any ideas?
> 
> TIA
> Thayne
> 
> ----- Original Message -----
> From: "Bill Pennington" <billp at ...60...>
> To: "Thayne" <thayne_a at ...125...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Friday, August 11, 2000 5:47 PM
> Subject: Re: [Snort-users] Anyone Else seen this weird traffic from aol?
> 
> > I have not noticed anything like that coming from AOL and a high
> > percentage of our users come from AOL. Are the IPs on your sides clients
> > or servers? It looks like web traffic since the source port is 80 but
> > without a packet dump it is hard to tell.
> >
> > I do know AOL runs lots of weird stuff with there mega proxies and
> > whatnot.
> >
> > Thayne wrote:
> > >
> > > Greetings,
> > >
> > > Ever since we've been running snort, we are constantly getting weird
> stealth
> > > packets from aol that are picked up by the spp_portscan plugin.  The
> > > following is an excerpt from one instance:
> > >
> > > Alert log:
> > > [**] spp_portscan: PORTSCAN DETECTED from 205.188.x.x (STEALTH) [**]
> > > [**] spp_portscan: portscan status from 205.188.x.x: 3 connections
> across 1
> > > hosts: TCP(3) UDP(0) STEALTH [**]
> > > [**] spp_portscan: End of portscan from 205.188.x.x: TOTAL time(2s)
> hosts(1)
> > > TCP(3) UDP(0) STEALTH [**]
> > >
> > > Portscan.log:
> > > Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> > > RESERVEDBITS
> > > Aug  9 10:10:18 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> > > RESERVEDBITS
> > > Aug  9 10:10:20 205.188.x.x:80 -> our.sub.net.xxx UNKNOWN *1**R***
> > > RESERVEDBITS
> > >
> > > They come from different AOL IP's and go to many different IP's on our
> net.
> > > We've tried to talk to AOL about it, but they just say it's normal
> traffic.
> > > Yeah right.
> > >
> > > Wcan't seem to get the spp_portscan plugin to ignore it, as the packets
> are
> > > stealth.  Anyone else see this sort of traffic?  Any ideas on how to
> keep it
> > > from being logged?
> > >
> > > TIA,
> > > Thayne
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
> > --
> >
> >
> > Bill Pennington
> > Senior IT Manager
> > Rocketcash
> > billp at ...60...
> > http://www.rocketcash.com
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp at ...60...
http://www.rocketcash.com




More information about the Snort-users mailing list