I noticed in my logs 2 weeks ago regular probe from a subnet in the Amazone cloud only scanning for TCP/8080 capture by the iptables of my DShield sensor. The scanning started on the 15 Aug – 4 Oct 2024 where the sensor recorded 1046 individual IPs from this network.
The IP use the most was 15.184.38.31 that was initially recorded on the 15 Aug 2024 and the recorded almost daily between the 3 Sep – 4 Oct 2024.
Since I have so much data about this single IP, the other thing I was curious about if the Time to Live (TTL) would be centered around the same cluster every time this source would be recorded. The data shows (picture below) shows it was consistently between ~85-118 with some outlier with a TTL of 193 indicating some packets started with a higher TTL. It seems unlikely these outliers would have started with a TTL of 255, that would be 62 hops away.
I picked the data from the 29 Sep 2024 to look at some of the inbound SYN packets for some clues and found the maximum segment size (MSS) wasn’t the same for all traffic. Today, most traffic has a default MSS normally set to 1500, however, there can be exceptions.
The default TCP Maximum Segment Size in RFC 879 shows for IPv4 is 536. TTL 193 had a MSS of 536 set to the default which it isn’t the norme but possible:
The TTL for all other traffic on the 29 Sep range between 80 to 110 and had an MSS of 1452:
Why 1452? Where is the mission 8 bytes? Point-to-Point Protocol over Ethernet (PPPoE) is one that needs those additional 8 bytes and truncates the Ethernet MTU to 1492 to route traffic between the host and the server. However, I have no way to confirm here if this is coming from a PPPoE or some other device but this is one possibility.
If you have a honeypot, packet capture [1] is always a friend and useful to see what the logs don’t capture.
[1] https://github.com/bruneaug/DShield-SIEM/blob/main/AddOn/packet_capture.md
[2] https://en.wikipedia.org/wiki/Maximum_segment_size
[3] https://datatracker.ietf.org/doc/html/rfc2516
———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.