RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)

From: Andy Streule <andy.streule(at)lythamhigh.lancs.sch.uk>
Date: Fri Jun 20 2003 - 06:39:39 EDT

according to

http://www.eweek.com/article2/0,3959,1132268,00.asp

the packets are being generated by a distributed network mapping tool called Stumbler.

"Researchers at Internet Security Systems Inc. say the culprit, which was
first thought to be a new breed of Trojan, is actually a distributed network mapping tool that also acts as a listening agent. Dubbed Stumbler, the agent is not considered malicious right now because it contains no payload, but it has the potential to generate enough IP traffic to hamper network performance. "

"Stumbler scans random ports on random machines, each time sending an
initial SYN packet. One of the few identifiable characteristics of the program is a window size of 55808 on each of the packets it transmits. It also spoofs the originating IP address on all of the packets, making them look as if they're coming from machines in unallocated name space. The window size led some to speculate that the malware was related to the Randex IRC bot, but experts now say the TCP window size is coincidental. "

~browolf
www.security-forums.com

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Sat Jun 21 15:03:10 2003