Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Wireshark - how to decode packets ?

  1. #1
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    6

    Default Wireshark - how to decode packets ?

    Hello there

    I have a really small webserver and since some days I see suspicious traffic inbound.
    The same remote ip is sending 300k/s of data (the ip is probably of an adsl with max 300k upload bandwidth) towards my webserver.
    I'm worried that it could be some sort of bruteforce attack from a noob out there .
    I restarted the router, firewall, the name servers and more than once the webserver but as soon that everything is online again, the traffic goes on, no way to stop it.
    Now... I captured some traffic with wireshark and I see the packets towards my webserver.
    But Wireshark only shows the binary raw data contained in the packet. I'm interested I knowing what is exactly happening.

    The traffic I sniffed is something like this:
    web_ip = ip of my webserver
    ip = ip of the remote client sending me data

    Source____Destination__Protocol___Info

    ip________web_ip______TCP_______12323 > www [ACK] Seq=0 Ack=0 Win=8576 Len=0
    ip________web_ip______TCP_______[TCP DUP ACK 1#1] 12323 > www [ACK] Seq=0 Ack=0 Win=8576 Len=0
    web_ip___ip___________HTTP______Continuation or non-HTTP traffic
    web_ip___ip___________HTTP______Continuation or non-HTTP traffic
    web_ip___ip___________HTTP______[TCP Out-Of-Order] Continuation or non-HTTP traffic
    web_ip___ip___________HTTP______[TCP Out-Of-Order] Continuation or non-HTTP traffic

    And then it goes on endlessly.
    What's going on?
    Anyone out there has any advice ?

    Thank you guys.

  2. #2
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    filter traffic from the range of ip of the attackant ???? maybe you can set that on your webserver.......

    maybe it helps....
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    ...the traffic goes on, no way to stop it
    Hmmm that's too bad. Hmmmm I wish there were things like traffic filters and firewalls that could block this type of thing ..... OH WAIT!

    Or if you aren't that creative then find out where the traffic is coming from and take the issue up with the abuse department at the person's ISP.

    BTW if it really is web traffic then this statement is false as well:
    But Wireshark only shows the binary raw data contained in the packet.

  4. #4
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    6

    Default

    Quote Originally Posted by shamanvirtuel View Post
    filter traffic from the range of ip of the attackant ???? maybe you can set that on your webserver.......

    maybe it helps....
    I can't just ban the whole range! That would mean that no other person with the same ADSL ISP could see the pages on my server anymore.

    And unless I know for sure what that traffic was I don't want to contact the abuse section of that isp.

    ehm i said "was" because one hour ago the traffic stopped.... I don't know if to be happy or even more worried ehehehe
    Perhaps the attack got successful..... let's change every password

    BTW if it really is web traffic then this statement is false as well:
    But Wireshark only shows the binary raw data contained in the packet.
    Why? I didn't get the point, what did you mean thorin?

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by phicube View Post
    I can't just ban the whole range! That would mean that no other person with the same ADSL ISP could see the pages on my server anymore.

    Why? I didn't get the point, what did you mean thorin?
    If you know where the IP is located, you just might find that you can ban the entire range and not give a care in the world. I've banned all of the Asian/Pacific subnets already as well as certain ones from Central Europe, as 95% of the traffic I saw from them were attacks. The remaining 5% of the people that weren't attacking me, can move for all I care.

    You can easily find out where an IP is located and determine if the traffic from that area is needed on your network or not.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    3

    Default

    Agreed. I would ban the entire range. Goto Arin.net/whois and lookup the IP location etc. It's better to block them then to take the risk. I do it all of the time on our corporate firewall. If our IDS picks up an attack, and after investagation it is legit, then they get a deny statement. It someone really wants to see your site, they can look you up and contact or your ISP regarding it.

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    I can't just ban the whole range! That would mean that no other person with the same ADSL ISP could see the pages on my server anymore.
    What evidence do you have that it's an ADSL ISP? Do you know how large the assignement block is that the IP falls within? Have you determined who 'owns' the range the IP falls in?
    And unless I know for sure what that traffic was I don't want to contact the abuse section of that isp.
    If it's causing you to have to restart services then why not? Whether it's intentional or not it's causing a DoS on your end and is wasting your resources. "I restarted the router, firewall, the name servers and more than once the webserver but as soon that everything is online again, the traffic goes on, no way to stop it."
    Why? I didn't get the point, what did you mean thorin?
    Because HTTP is a text based protocol, especially from the client to the server. (Server to client you might see some binary data, graphics etc, but for the most part the traffic is text). Just because it's coming in fragmented or out of order etc and Ethereal doesn't recognize it as HTTP traffic doesn't really mean that it is. Though I suppose it's plausable. In the data section of the packet(s) you you see both hex and acsi representations of the actual packet content. Have you tried google'ing "[TCP Out-Of-Order] Continuation or non-HTTP traffic"? (or a substring)

    Have you checked your web server access and error logs for the same time period(s) for the IP in question?

    PS > I suppose if you allow HTTP PUT you might see some actual binary data from client to server, but that seems unlikely.

  8. #8
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default filter

    If you are serious, use chaosreader to reconstruct traffic for ease of analysis and filter the range. You are unlikely to suffer as a result of any filtering as you have been advised herein. After all, you are not doing your job if you positively allow it to continue as it is a degradation of service to legitimate users (visitors to your server).

    You are too concerned about others in the range. If you are serious then an IP range block is quite in order. After all, complainents can collect your e-mail address from the register and lodge a note with you and you can change your filter.
    Lux sit

  9. #9
    Just burned his ISO
    Join Date
    Sep 2007
    Posts
    6

    Default

    Quote Originally Posted by streaker69 View Post
    If you know where the IP is located, you just might find that you can ban the entire range and not give a care in the world. I've banned all of the Asian/Pacific subnets already as well as certain ones from Central Europe, as 95% of the traffic I saw from them were attacks. The remaining 5% of the people that weren't attacking me, can move for all I care.

    You can easily find out where an IP is located and determine if the traffic from that area is needed on your network or not.
    Ok it's not my case. The ip is in my same country and it's from one of the 3 main ISP. So no luck

  10. #10
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default Isp

    Then perhaps if it is a continuing attack you should correspond with the ISP and ask for it to review the matter...or as we have said...to block it.

    This is not a BackTrack matter.
    Lux sit

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •