Botnet attack? [was: Re: Declining traffic]
Hans Schnehl
torvallenator at gmail.com
Tue Apr 27 11:07:24 UTC 2010
On Tue, Apr 27, 2010 at 01:35:20AM -0500, Scott Bennett wrote:
> On Mon, 26 Apr 2010 13:36:17 -0400 Flamsmark <flamsmark at gmail.com>
> wrote:
> >On 26 April 2010 09:59, Timo Schoeler <timo.schoeler at riscworks.net> wrote:
> >
> >> (Deutsche Telekom AG). For me it really seems as there's some kind of
> >> botnet attack going on.
> >>
> >
> >
> >What makes you think that this is a botnet attack? What are the
> >characteristics of a botnet attack, and how do these logs exhibit them? If
>
someone playing around, it's rather background noise... relax, guys ;)
> What my system logged over a two- to three-hour period was a very high
> rate of illicit connection attempts being logged, a rate much higher that
> usual and for an extended period of time. Some of the connection attempts
> involved only one or two tries for a single port number. However, consider
> another type that also occurred frequently during that time span. That
> other type looked more like an individual attack that came in this evening:
[snip]
>
> 2010-04-26 23:38:20.086026 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3422 > 24.1.225.89.8080: tcp 16 [bad hdr length 12 - too short, < 20]
> 2010-04-26 23:38:20.990386 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3416 > 24.1.225.89.8000: tcp 16 [bad hdr length 12 - too short, < 20]
> 2010-04-26 23:38:25.214087 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3419 > 24.1.225.89.8001: tcp 16 [bad hdr length 12 - too short, < 20]
> 2010-04-26 23:38:26.122380 rule 5.logscanners.0/0(match): block in on bge0: 81.64.6.141.3422 > 24.1.225.89.8080: tcp 16 [bad hdr length 12 - too short, < 20]
>
[lot's of snip]
There was a scan. yes. Happens.
But these -> [bad hdr length 12 - too short, < 20] <- are *NOT* a
maliciuos attempt of something but rather a matte ofr tcpdump running against
a pflog* interface. There are different expectations about the snaplen ,
so if increasse the snaplen to sth. higher than 68 bytes the message will
disappear, it is rather harmless.
PLease see man tcpdump
[quote]
TCP Packets
[snip]
If the snapshot was small enough that tcpdump didn't capture the full
TCP header, it interprets as much of the header as it can and then
reports ``[|tcp]'' to indicate the remainder could not be interpreted.
If the header contains a bogus option (one with a length that's either
too small or beyond the end of the header), tcpdump reports it as
``[bad opt]'' and does not interpret any further options (since it's
impossible to tell where they start). If the header length indicates
options are present but the IP datagram length is not long enough for
the options to actually be there, tcpdump reports it as ``[bad hdr
length]''.
[/quote]
on my bsd's a snaplen on 104 is sufficient, but you might try 256 or find
the appropriate value by checking it.
tcpdump ${wtf} -s 104 -i pflog*
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list