[Snort-users] BAD TRAFFIC data in TCP SYN packet

Dewey Paciaffi dpaciaffi at ...4262...
Mon Jan 14 10:27:02 EST 2002


I see these all the time as well. It's microsoft:

207.46.106.84 = sjwu3dns1.windowsupdate.com
207.68.131.17 = dcwu3dns1.windowsupdate.com

They're looking for the best server to use to service
your users.

See the thread at

http://cert.uni-stuttgart.de/archive/incidents/2001/02/msg00341.html

Dewey Paciaffi


Matt Kettler wrote:

> Well, the port 29291 is just a random local port.. This is a syn packet 
> remember, so the service being used is on destination end, and is port 
> 53 (dns).
> 
> so, 207.46.106.84 has decided that 172.40.20.235 might be a dns server, 
> and has attempted to connect to it via TCP (it is unusual, but legal for 
> a DNS server to be contacted via tcp instead of UDP).
> 
> I've seen some similar traffic myself from a pair of DNS servers 
> directed at the local DNS server here.. the TCP syn packets contain 
> several bytes of data which are all 00's. It is strange (AFAIK it is not 
> legal to send data with a syn packet.. you haven't negotiated a 
> connection yet), but it appears to be an artifact of a buggy tcp/ip 
> implementation.. Or who knows, it may be an artifact of some obscure, 
> buggy worm  or scanning tool that looks at DNS servers and uses raw 
> sockets instead of the local TCP/IP stack. Even if it is from some 
> obscure hacking tool, the syn packets themselves appear harmless.
> 
> 
> At 07:39 AM 1/14/2002 +0100, you wrote:
> 
>> Hi!
>>
>> I get a lot of
>>
>> 01/14-02:24:17.089098  [**] [1:526:3] BAD TRAFFIC data in TCP SYN packet
>> [**] [Classification: Misc activity] [Priority: 3] {TCP} 
>> 207.46.106.84:29291
>> -> 172.40.20.235:53
>>
>> 172.40.20.235 is my DNS server, but why would clients put data in the syn
>> packets? According to RIPE, the source address is "ALLOCATED 
>> UNSPECIFIED",
>> so I can't find out who's doing this. It comes from a limited number of
>> addresses, they all seem to be 207.xx.xxx.xxx.
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 







More information about the Snort-users mailing list