Finding out what an attacker aims at?

Security Intrusion Prevention
1

Hi all,
for some days I’m seeing constant fire from 185.156.73.25 source port 55791 TCP (AS44446 - OOO SibirInvest).
Connection attempts go to different IPs on my end, always to high ports.
Tcpdump does not show any of my clients trying to reach out to that IP.
Those connection attempts are blocked (DROP_INPUT), so I only see single SYN flagged packets.

Any ideas what they are up to or how to find out, what they are looking for?
Or is this more like a tcpdump/decode question that does not belong here?

I include some example lines from tcpdump and tshark below.

Thanks for thinking
Kulm

“tcpdump -i red0 host 185.156.73.25” host says:

listening on red0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
07:04:11.944614 IP 185.156.73.25.55791 > 85.X.Y.117.14418: Flags [S], seq 4006103107, win 1024, options [mss 1460], length 0
07:04:13.024024 IP 185.156.73.25.55791 > 85.X.Y.117.50944: Flags [S], seq 372675468, win 1024, options [mss 1460], length 0
07:04:13.539143 IP 185.156.73.25.55791 > 85.X.Y.116.50494: Flags [S], seq 867659782, win 1024, options [mss 1460], length 0
07:04:14.234221 IP 185.156.73.25.55791 > 85.X.Y.116.56066: Flags [S], seq 3154683414, win 1024, options [mss 1460], length 0
07:04:15.688133 IP 185.156.73.25.55791 > 85.X.Y.115.5355: Flags [S], seq 3291392964, win 1024, options [mss 1460], length 0
07:04:16.160767 IP 185.156.73.25.55791 > 85.X.Y.116.56183: Flags [S], seq 3576180821, win 1024, options [mss 1460], length 0
07:04:17.258196 IP 185.156.73.25.55791 > 85.X.Y.117.13087: Flags [S], seq 1186455127, win 1024, options [mss 1460], length 0
07:04:17.405438 IP 185.156.73.25.55791 > 85.X.Y.117.51091: Flags [S], seq 3852098510, win 1024, options [mss 1460], length 0
07:04:17.973710 IP 185.156.73.25.55791 > 85.X.Y.117.33897: Flags [S], seq 637149220, win 1024, options [mss 1460], length 0
07:04:18.544843 IP 185.156.73.25.55791 > 85.X.Y.116.57191: Flags [S], seq 1613054111, win 1024, options [mss 1460], length 0
07:04:20.360815 IP 185.156.73.25.55791 > 85.X.Y.117.40288: Flags [S], seq 3309285126, win 1024, options [mss 1460], length 0
07:04:21.913266 IP 185.156.73.25.55791 > 85.X.Y.115.50059: Flags [S], seq 1865072489, win 1024, options [mss 1460], length 0
07:04:22.811777 IP 185.156.73.25.55791 > 85.X.Y.115.40137: Flags [S], seq 714968878, win 1024, options [mss 1460], length 0
07:04:24.176067 IP 185.156.73.25.55791 > 85.X.Y.115.24664: Flags [S], seq 2159017142, win 1024, options [mss 1460], length 0
07:04:25.752747 IP 185.156.73.25.55791 > 85.X.Y.115.43568: Flags [S], seq 1339811927, win 1024, options [mss 1460], length 0
07:04:26.579118 IP 185.156.73.25.55791 > 85.X.Y.117.30261: Flags [S], seq 3031551765, win 1024, options [mss 1460], length 0
07:04:27.555077 IP 185.156.73.25.55791 > 85.X.Y.115.51091: Flags [S], seq 1893442518, win 1024, options [mss 1460], length 0
07:04:28.638187 IP 185.156.73.25.55791 > 85.X.Y.115.45261: Flags [S], seq 1198786558, win 1024, options [mss 1460], length 0
07:04:28.994907 IP 185.156.73.25.55791 > 85.X.Y.116.60112: Flags [S], seq 1996523301, win 1024, options [mss 1460], length 0
07:04:29.903523 IP 185.156.73.25.55791 > 85.X.Y.115.7176: Flags [S], seq 3315488694, win 1024, options [mss 1460], length 0
07:04:29.976075 IP 185.156.73.25.55791 > 85.X.Y.116.51306: Flags [S], seq 4024759107, win 1024, options [mss 1460], length 0
07:04:31.902501 IP 185.156.73.25.55791 > 85.X.Y.117.50092: Flags [S], seq 756878193, win 1024, options [mss 1460], length 0
07:04:33.231441 IP 185.156.73.25.55791 > 85.X.Y.117.16598: Flags [S], seq 257963963, win 1024, options [mss 1460], length 0
07:04:33.566220 IP 185.156.73.25.55791 > 85.X.Y.117.29073: Flags [S], seq 2953581269, win 1024, options [mss 1460], length 0
07:04:34.312691 IP 185.156.73.25.55791 > 85.X.Y.117.51306: Flags [S], seq 1689691210, win 1024, options [mss 1460], length 0
07:04:34.811050 IP 185.156.73.25.55791 > 85.X.Y.116.42186: Flags [S], seq 2356688582, win 1024, options [mss 1460], length 0
07:04:38.302654 IP 185.156.73.25.55791 > 85.X.Y.115.45555: Flags [S], seq 4250455910, win 1024, options [mss 1460], length 0
07:04:39.267885 IP 185.156.73.25.55791 > 85.X.Y.117.39313: Flags [S], seq 2690868813, win 1024, options [mss 1460], length 0
07:04:40.113555 IP 185.156.73.25.55791 > 85.X.Y.117.47637: Flags [S], seq 1631242168, win 1024, options [mss 1460], length 0
07:04:40.644777 IP 185.156.73.25.55791 > 85.X.Y.115.27639: Flags [S], seq 2250550172, win 1024, options [mss 1460], length 0
07:04:40.742353 IP 185.156.73.25.55791 > 85.X.Y.116.44870: Flags [S], seq 1462375231, win 1024, options [mss 1460], length 0
07:04:44.219093 IP 185.156.73.25.55791 > 85.X.Y.116.52553: Flags [S], seq 3886411784, win 1024, options [mss 1460], length 0
07:04:49.223230 IP 185.156.73.25.55791 > 85.X.Y.116.16598: Flags [S], seq 2610487077, win 1024, options [mss 1460], length 0
07:04:50.756902 IP 185.156.73.25.55791 > 85.X.Y.116.54124: Flags [S], seq 2657821321, win 1024, options [mss 1460], length 0
07:04:51.728435 IP 185.156.73.25.55791 > 85.X.Y.115.50494: Flags [S], seq 3708804957, win 1024, options [mss 1460], length 0
07:04:53.118463 IP 185.156.73.25.55791 > 85.X.Y.116.18154: Flags [S], seq 1448224470, win 1024, options [mss 1460], length 0
07:05:00.205172 IP 185.156.73.25.55791 > 85.X.Y.116.8140: Flags [S], seq 2362288660, win 1024, options [mss 1460], length 0
07:05:00.487260 IP 185.156.73.25.55791 > 85.X.Y.117.60161: Flags [S], seq 4055226395, win 1024, options [mss 1460], length 0
07:05:03.546554 IP 185.156.73.25.55791 > 85.X.Y.116.37343: Flags [S], seq 1073640534, win 1024, options [mss 1460], length 0
07:05:04.172559 IP 185.156.73.25.55791 > 85.X.Y.115.13006: Flags [S], seq 2352102280, win 1024, options [mss 1460], length 0
07:05:04.254929 IP 185.156.73.25.55791 > 85.X.Y.116.35715: Flags [S], seq 502439246, win 1024, options [mss 1460], length 0
07:05:06.521566 IP 185.156.73.25.55791 > 85.X.Y.116.45555: Flags [S], seq 154668435, win 1024, options [mss 1460], length 0
07:05:06.859864 IP 185.156.73.25.55791 > 85.X.Y.115.47637: Flags [S], seq 811111367, win 1024, options [mss 1460], length 0

“tshark -r file -2 -x” says:

0000  b6 d6 da 8e 64 25 70 fc 8c 14 4d b1 08 00 45 00   ....d%p...M...E.
0010  00 2c 03 b4 00 00 fb 06 cd d6 b9 9c 49 19 55 16   .,..........I.U.
0020  96 75 d9 ef 82 ff 22 28 17 3e 00 00 00 00 60 02   .u...."(.>....`.
0030  04 00 0f 90 00 00 02 04 05 b4 00 00               ............

0000  b6 d6 da 8e 64 25 70 fc 8c 14 4d b1 08 00 45 00   ....d%p...M...E.
0010  00 2c b1 6b 00 00 fb 06 20 21 b9 9c 49 19 55 16   .,.k.... !..I.U.
0020  96 73 d9 ef 63 c8 dd 36 44 d0 00 00 00 00 60 02   .s..c..6D.....`.
0030  04 00 46 28 00 00 02 04 05 b4 00 00               ..F(........

0000  b6 d6 da 8e 64 25 70 fc 8c 14 4d b1 08 00 45 00   ....d%p...M...E.
0010  00 2c c2 ee 00 00 fb 06 0e 9d b9 9c 49 19 55 16   .,..........I.U.
0020  96 74 d9 ef 41 25 d3 69 15 bf 00 00 00 00 60 02   .t..A%.i......`.
0030  04 00 a1 a8 00 00 02 04 05 b4 00 00               ............

0000  b6 d6 da 8e 64 25 70 fc 8c 14 4d b1 08 00 45 00   ....d%p...M...E.
0010  00 2c 8b dc 00 00 fb 06 45 b0 b9 9c 49 19 55 16   .,......E...I.U.
0020  96 73 d9 ef 42 c0 30 21 5f 6f 00 00 00 00 60 02   .s..B.0!_o....`.
0030  04 00 f9 a6 00 00 02 04 05 b4 00 00               ............

0000  b6 d6 da 8e 64 25 70 fc 8c 14 4d b1 08 00 45 00   ....d%p...M...E.
0010  00 2c 9e dc 00 00 fb 06 32 ae b9 9c 49 19 55 16   .,......2...I.U.
0020  96 75 d9 ef c3 3f 24 ce cb 96 00 00 00 00 60 02   .u...?$.......`.
0030  04 00 18 51 00 00 02 04 05 b4 00 00               ...Q........
2

Hi,

thanks for the detailed post. :slight_smile:

Not really. As you mentioned, the destination ports do not look like particular services or common network environments - the tshark output does not remind me of anything specific either.

AS44446 gets connectivity from two cybercrime-friendly ISPs: AS202425 and AS50360. The former one is considered to be a bulletproof ISPs (this article should give you an idea), and I observed a decent amount of abuse from the latter, too.

So, this is probably another miscreant on the internet trying to mess with other peoples’ systems. (Apparently, the IP address was active in April, too.)

Given the hostile nature of these networks, I don’t think it is safe to open connections toward them…

Thanks, and best regards,
Peter Müller

3

Thank you for your quick and fruitful answer Peter.
Your clues brought me to threadstop.com where I found that those bad IPs are included in the dshield block list. So while I think the “attacks” did not do any harm here, I have now included the dshield.rules in my IPS Setup. Better safe than sorry.

best regards
Kulm

4

I am not an expert.
If you have time and the necessary experience you could set up an ipfire on a virtual machine and create something behind is what is called a “honey pot”. The you might see then for what the intruder is up to and it might do no harm to your productive system.

5

Thanks for the suggestion ip-mfg.
Yes, I could set up such a trap. But I rather spend the summer evening with a cold beer ;-).
Even if I set up that trap I’m afraid I would be none the wiser, because all ports adressed are unprivileged high ports. So what service would I offer them to talk to? And if they can’t talk more I will not see more.

Have a nice weekend everybody