Incident: 03-13-02 protocol 50

Here's kind of a rare bird: protocol 50

Unfortunately, snort doesn't understand protocol 50, so all I have is the syslog/logcheck reports from ipchains.

Here's the rule that ipchains is using:

# test for SIPP-ESP packets
/sbin/ipchains -A input -i $extint -s 0.0.0.0/0 -p 50 -d $extip -j DENY -l
# rule 8

(It's interesting that the Linux kernel will recognize other protocols beyond the familiar IP, TCP, and UDP...)

Fine.. what is this protocol 50?

From: ftp://ftp.isi.edu/in-notes/rfc1700.txt

Assigned Internet Protocol Numbers 

Decimal    Keyword     Protocol                         References
-------    -------     --------                         ----------
<snip>
    50     SIPP-ESP    SIPP Encap Security Payload      [Steve Deering]
<snip>

More detail at: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-esp-v3-02.txt

Abstract    

This document describes an updated version of the Encapsulating
   Security Payload (ESP) protocol, which is designed to provide a mix
   of security services in IPv4 and Ipv6. ESP is used to provide
   confidentiality, data origin authentication, connectionless
   integrity, an anti-replay service (a form of partial sequence
   integrity), and limited traffic flow confidentiality.  This document
   is based upon RFC 2406 (November 1998).  Section 7 provides a brief
   review of the differences between this document and RFC 2406.
<snip>
:
:
<snip>
2.  Encapsulating Security Payload Packet Format    

The (outer) protocol header (IPv4, IPv6, or Extension) that
   immediately precedes the ESP header SHALL contain the value 50 in its
   Protocol (IPv4) or Next Header (IPv6, Extension) field (see IANA web
   page at http://www.iana.org/assignments/protocol-numbers). Figure 1
   illustrates the top level format of an ESP packet. The packet begins....
<snip>

So, whois 66.122.199.162?

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Pac Bell Internet Services (NETBLK-PBI-NET-9) PBI-NET-9
   66.120.0.0 - 66.127.255.255

Quicksilver Technologies 2 of 2 (NETBLK-SBCIS-101814-133559) 
   SBCIS-101814-133559
   66.122.199.160 - 66.122.199.191



Quicksilver Technologies 2 of 2 (NETBLK-SBCIS-101814-133559)
   6640 Via Del Oro, Suite 120
   San Jose, CA 95119
   US    

Netname: SBCIS-101814-133559
   Netblock: 66.122.199.160 - 66.122.199.191    

Coordinator:
      Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin@PBI.NET
      888-212-5411    

   Record last updated on 14-Aug-2001.
   Database last updated on  15-Mar-2002 19:57:41 EDT.

At: http://www.quicksilvertech.com/aboutus.htm

"Company Profile"

"QuickSilver Technology, Inc. is a mobile communication systems company engaged in the design, development, and commercialization of revolutionary and patentable hardware, software, and SilverWareTM technologies to enable software-based cellular phones and wireless platforms for mobile commerce (m-commerce).

The future of wireless/mobile communications and software-defined radio (SDR) is in making handsets a more versatile and valuable product for consumers. Just as the Internet enables the rapid interchange of information, applications, and e-commerce, mobile communications of the future will act in the same manner, with the same advantages..."

Actually, I don't think that's got much to do with these packets; I'd be willing to bet that they just "escaped"...

syslog/logcheck:

<snip>

Mar 13 19:08:39 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=62742 F=0x0000 T=242 (#82)
Mar 13 19:08:40 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=63444 F=0x0000 T=242 (#82)
Mar 13 19:08:40 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=63912 F=0x0000 T=242 (#82)
Mar 13 19:08:40 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=64146 F=0x0000 T=242 (#82)
Mar 13 19:08:41 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=64380 F=0x0000 T=242 (#82)
Mar 13 19:08:41 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=64614 F=0x0000 T=242 (#82)

Note the Initial Sequence Number (I= ) wrapping around and restarting when it exceeds it's maximum value for the sending OS...

Mar 13 19:08:42 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=248 F=0x0000 T=242 (#82)
Mar 13 19:08:42 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=482 F=0x0000 T=242 (#82)
Mar 13 19:08:43 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=716 F=0x0000 T=242 (#82)
Mar 13 19:08:43 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=950 F=0x0000 T=242 (#82)
Mar 13 19:08:44 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=1184 F=0x0000 T=242 (#82)
Mar 13 19:08:44 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535
 L=280 S=0x00 I=1652 F=0x0000 T=242 (#82)
Mar 13 19:08:44 greatwall kernel: Packet log: input DENY ppp0 PROTO=50
 66.122.199.162:65535 12.82.135.131:65535 L=280 S=0x00 I=1886 F=0x0000 T=242 (#82)

<snip>

jsage@finchhaven.com

Last modified: Thu Mar 14 05:42:47 2002