Friday, March 6, 2009

Fyodor: Ongoing Non-blind TCP Spoofing Attack in Taiwan


check this -

Apparently some malware creativity from China is kicking some bad-ass sh*t on the network here in Taiwan. Started a few days ago, is happening as I write this message... anyways here's what's going on: Apparently something got own3d on the way from Taiwan to Singapore, and I believe TCP connections are being sniffed for valid syn/acks (as we don't see floods of bad tcp packets here) and then redirect packets with valid syn/ack numbers are being automatically sent with redirect to some web sites in mainland china containing ad clicks, or malware or both.

The thing is still happening as we speak, the "big" sites like are affected. However not every user is affected but rather some large groups of users. I think it depends on how you're being routed. (i.e. i can't reproduce stuff from my segments).

I happened to look at the packet captures, it looks like an automated non-blind tcp spoofing attack. The interesting things about the spoofed packets - is always 0x0100, the TTL is always around 0x7x (0x70, 0x72 in other segments, but is static). the packets have fixed size and are always fin,ack packets that trigger a few rsts afterwards..

there are some screenshots of the captured traffic available here -, see if you can spot more 'diffs' :) I also posted the 'affected' and 'non-affected' traces in comments.

No comments:

Post a Comment