[ml] Traffico anomalo in Active Directory

Alfredo Speranza Wed, 05 Nov 2008 01:23:56 -0800

Salve a tutta la lista,

Dopo mesi che vi seguo con interesse, ne approfitto per fare i complemti a 
tutti per i livello delle discussioni, posto il mio primo intervento.


Questo è a tutti gli effetti una richiesta del vostro parere, su uno strano 
traffico che sto rilevando sulla seguente rete:

[rete PC client]--50--[FW ASA]--100--[ Inside ] 
   |   |   |                           |   |
  PC1 PC2 PCn                         AD1 AD2

Come si può notare esiste una rete (PC client) che è "al di la del firewall", 
ed esiste una rete interna (inside) su cui sono attestati diversi server, tra 
cui due MS "Domain Controller" (Active Directory 2003).

Il firewall fa passare il traffico ICMP, perchè per il funzionamento dell'AD i 
client periodicamente fanno degli "echo request" ai server (*), oltre che il 
traffico destinato alle porte classiche necessarie per il funzionamento dei 
servizi di AD.

Analizzando questo traffico ICMP ho rilevato, che in modo totalmente random, 
qualche PC butta fuori degli strani pacchetti ICMP frammentati.
Ne posto qui un esempio:

22:28:34.220690 IP (tos 0x0, ttl 128, id 36195, offset 0, flags [+], proto ICMP 
(1), length 1500) rel_mngr2.cimad.flo.it > cimad1.cimad.flo.it: ICMP echo 
request, id 512, seq 35842, length 1480
 0x0000:  4500 05dc 8d63 2000 8001 75d4 c0a8 c78f  E....c....u.....
 0x0010:  c0a8 c908 0800 2dd3 0200 8c02 ffd8 fffe  ......-.........
 0x0020:  0008 5741 4e47 3202 ffe0 0010 4a46 4946  ..WANG2.....JFIF
 0x0030:  0001 0101 0060 0060 0000 ffdb 0043 0010  .....`.`.....C..
 0x0040:  0b0c 0e0c 0a10 0e0d 0e12 1110 1318 281a  ..............(.
 0x0050:  1816 1618 3123 251d 283a 333d 3c39 3338  ....1#%.(:3=<938
 0x0060:  3740 485c 4e40 4457 4537 3850 6d51 575f  [EMAIL PROTECTED]@DWE78PmQW_
 0x0070:  6267 6867 3e4d 7179 7064 785c 6567 63ff  bghg>Mqypdx\egc.
 0x0080:  db00 4301 1112 1218 1518 2f1a 1a2f 6342  ..C......./../cB
 0x0090:  3842 6363 6363 6363 6363 6363 6363 6363  8Bcccccccccccccc
 0x00a0:  6363 6363 6363 6363 6363 6363 6363 6363  cccccccccccccccc
 0x00b0:  6363 6363 6363 6363 6363 6363 6363 6363  cccccccccccccccc
 0x00c0:  6363 6363 ffc0 0011 0800 2600 9e03 0121  cccc......&....!
 0x00d0:  0002 1101 0311 01ff c400 1f00 0001 0501  ................
 0x00e0:  0101 0101 0100 0000 0000 0000 0001 0203  ................
 0x00f0:  0405 0607 0809 0a0b ffc4 00b5 1000 0201  ................
 0x0100:  0303 0204 0305 0504 0400 0001 7d01 0203  ............}...
 0x0110:  0004 1105 1221 3141 0613 5161 0722 7114  .....!1A..Qa."q.
 0x0120:  3281 91a1 0823 42b1 c115 52d1 f024 3362  2....#B...R..$3b
 0x0130:  7282 090a 1617 1819 1a25 2627 2829 2a34  r........%&'()*4
 0x0140:  3536 3738 393a 4344 4546 4748 494a 5354  56789:CDEFGHIJST
 0x0150:  5556 5758 595a 6364 6566 6768 696a 7374  UVWXYZcdefghijst
 0x0160:  7576 7778 797a 8384 8586 8788 898a 9293  uvwxyz..........
 0x0170:  9495 9697 9899 9aa2 a3a4 a5a6 a7a8 a9aa  ................
 0x0180:  b2b3 b4b5 b6b7 b8b9 bac2 c3c4 c5c6 c7c8  ................
 0x0190:  c9ca d2d3 d4d5 d6d7 d8d9 dae1 e2e3 e4e5  ................
 0x01a0:  e6e7 e8e9 eaf1 f2f3 f4f5 f6f7 f8f9 faff  ................
 0x01b0:  c400 1f01 0003 0101 0101 0101 0101 0100  ................
 0x01c0:  0000 0000 0001 0203 0405 0607 0809 0a0b  ................
 0x01d0:  ffc4 00b5 1100 0201 0204 0403 0407 0504  ................
 0x01e0:  0400 0102 7700 0102 0311 0405 2131 0612  ....w.......!1..
 0x01f0:  4151 0761 7113 2232 8108 1442 91a1 b1c1  AQ.aq."2...B....
 0x0200:  0923 3352 f015 6272 d10a 1624 34e1 25f1  .#3R..br...$4.%.
 0x0210:  1718 191a 2627 2829 2a35 3637 3839 3a43  ....&'()*56789:C
 0x0220:  4445 4647 4849 4a53 5455 5657 5859 5a63  DEFGHIJSTUVWXYZc
 0x0230:  6465 6667 6869 6a73 7475 7677 7879 7a82  defghijstuvwxyz.
 0x0240:  8384 8586 8788 898a 9293 9495 9697 9899  ................
 0x0250:  9aa2 a3a4 a5a6 a7a8 a9aa b2b3 b4b5 b6b7  ................
 0x0260:  b8b9 bac2 c3c4 c5c6 c7c8 c9ca d2d3 d4d5  ................
 0x0270:  d6d7 d8d9 dae2 e3e4 e5e6 e7e8 e9ea f2f3  ................
 0x0280:  f4f5 f6f7 f8f9 faff da00 0c03 0100 0211  ................
 0x0290:  0311 003f 00ed 356d 4a1d 234d 96fa e164  ...?..5mJ.#M...d
 0x02a0:  68a2 c6e1 1805 b920 7192 3d6a ae81 e22b  h.......q.=j...+
 0x02b0:  2f10 4733 5989 50c2 4074 9540 233d 0f04  /[EMAIL PROTECTED]@#=..
 0x02c0:  8ec7 bf6a 00d6 ae75 fc67 a62e b634 a58e  ...j...u.g...4..
 0x02d0:  e5e6 f3c4 1bd5 06cd e4e3 b9cf 078e 9dbb  ................
 0x02e0:  d006 86a7 addb 6977 b616 b3a4 acf7 d279  ......iw.......y
 0x02f0:  7194 0080 72a3 9c91 fde1 eb5a 5400 5140  q...r......ZT.Q@
 0x0300:  0514 0051 4005 1400 5140 0d92 448a 3692  [EMAIL PROTECTED]@..D.6.
 0x0310:  4754 4405 9998 e028 1d49 35cc dbf8 f349  GTD....(.I5....I
 0x0320:  b9d4 62b3 862b b669 6511 249b 1429 24e0  ..b..+.ie.$..)$.
 0x0330:  1e5b 38fc 33ed 401b d6ba 8da5 e5d5 cdb5  [EMAIL PROTECTED]
 0x0340:  b4eb 24b6 a42c caa0 fc84 e78c f43d 0f4e  ..$..,.......=.N
 0x0350:  98ab 5401 cff8 effe 450b effb 67ff 00a3  ..T.....E...g...
 0x0360:  16b9 9f0c 11a1 f8a2 c61d ca96 faa5 844e  ...............N
 0x0370:  0798 400e 501c 907a 92ca c00f f6f8 f4a0  [EMAIL PROTECTED]
 0x0380:  0ef3 53bd 4d37 4db9 bd93 6910 465f 6b36  ..S.M7M...i.F_k6
 0x0390:  ddc4 0e17 3ee7 03f1 af2d d3ac da39 fc3b  ....>....-...9.;
 0x03a0:  a84c dbe7 bed4 19da 42c4 b305 78c7 39ef  .L......B...x.9.
 0x03b0:  bb79 fc68 03d1 35ad 77fb 2751 d2ed 3ecd  .y.h..5.w.'Q..>.
 0x03c0:  e6fd be5f 2f76 fdbb 3951 9c60 e7ef 7b74  ..._/v..9Q.`..{t
 0x03d0:  ab5a beaf 69a2 d97d aaf5 d950 9daa 1549  .Z..i..}...P...I
 0x03e0:  2cd8 2401 f5c1 eb81 401c effc 2713 47fe  ,[EMAIL PROTECTED]'.G.
 0x03f0:  9171 a05f 47a7 9e45 ce0f 2a7e e9c1 0073  .q._G..E..*~...s
 0x0400:  91fc 5dfb d745 2ea9 07f6 24ba a5ab 2dc4  ..]..E....$...-.
 0x0410:  2903 4cbb 4e37 6d04 e3db a63d a803 9db6  ).L.N7m....=....
 0x0420:  f1c4 d7e9 00d3 7449 eee7 6ff5 c88e 76c2  ......tI..o...v.
 0x0430:  4b10 a0b6 dc72 0672 7007 af5c 6d78 83c4  K....r.rp..\mx..
 0x0440:  169a 05a8 92e7 73cb 206f 2625 07f7 8463  ......s..o&%...c
 0x0450:  bf41 d475 fd7a 5006 2af8 dee2 de68 8eab  .A.u.zP.*....h..
 0x0460:  a0dd d85a bbec 69df 710a 4fb1 519f e78c  ...Z..i.q.O.Q...
 0x0470:  f5ae 99f5 1b48 f4d1 a8c9 3aa5 a18c 4be6  .....H....:...K.
 0x0480:  3023 e523 238e bce4 71d6 8039 9ff8 4d6f  0#.##...q..9..Mo
 0x0490:  2e3f 7ba7 f86e fae6 d5be e4bc 8dde bd14  .?{..n..........
 0x04a0:  8eb9 1d7b 56c7 873c 456b e21b 791e dd24  ...{V..<Ek..y..$
 0x04b0:  8a58 7689 6371 f749 1d8f 71c1 f43c 7414  .Xv.cq.I..q..<t.
 0x04c0:  011f 887c 4d6f a232 5bac 325d 5f4b b7cb  ...|Mo.2[.2]_K..
 0x04d0:  b640 4160 4919 ce0f a118 1939 c71d eb36  [EMAIL PROTECTED]
 0x04e0:  0f1c 186e 923d 6b49 b9d2 e290 1db2 c819  ...n.=kI........
 0x04f0:  b247 b6d0 7f2c f51f 5a00 b9e3 4d4a e6cb  .G...,..Z...MJ..
 0x0500:  4a92 0834 e96e 92e6 0952 4953 3880 6dc6  J..4.n...RIS8.m.
 0x0510:  e380 7d49 edd2 b9bf 0c78 82ff 004d d0e1  ..}I.....x...M..
 0x0520:  b7b4 f0dd cdd2 6598 dc44 1809 0963 cf08  ......e..D...c..
 0x0530:  738e 075e d401 5fc3 faf5 fd96 abac 4f06  s..^.._.......O.
 0x0540:  8773 74f7 33ef 9224 dd98 0ee7 3b4e 14fa  .st.3..$....;N..
 0x0550:  91db a57a 7500 73fe 3bff 0091 42fb fed9  ...zu.s.;...B...
 0x0560:  ff00 e8c5 ac1f 11db 4abe 0ed0 755b 62c2  ........J...u[b.
 0x0570:  6b08 e160 dc61 4155 e707 afcc 13f3 3401  k..`.aAU......4.
 0x0580:  6bc6 fa93 5f68 7a65 a592 c9bf 5674 6456  k..._hze....VtdV
 0x0590:  0a32 bc10 a493 c1dc c9f9 1e7d 5be2 8b64  .2.........}[..d
 0x05a0:  b3d5 7c23 6b19 6290 4e23 52dd 480d 1019  ..|#k.b.N#R.H...
 0x05b0:  fca8 026f 1a7f c8c3 e18f fafb ff00 d9e3  ...o............
 0x05c0:  a8fc 450a ea3e 3fd1 b4fb 93ba d562 3379  ..E..>?......b3y
 0x05d0:  7818 27e6 2739 1c83 b141 1e94            x.'.'9...A..
22:28:34.220716 IP (tos 0x0, ttl 128, id 36195, offset 1480, flags [none], 
proto ICMP (1), length 596) rel_mngr2.cimad.flo.it > cimad1.cimad.flo.it: icmp
 0x0000:  4500 0254 8d63 00b9 8001 98a3 c0a8 c78f  E..T.c..........
 0x0010:  c0a8 c908 01d8 5c41 1dcd bcb6 f32e e8a5  ......\A........
 0x0020:  428e b9c6 4118 238a c397 4887 44f0 7ea7  B...A.#...H.D.~.
 0x0030:  676f 34f2 c5f6 7999 7ce6 0c57 2878 1803  go4...y.|..W(x..
 0x0040:  03bf d49a 006f 8063 44f0 959b 222a 9732  .....o.cD..."*.2
 0x0050:  3310 31b8 ef61 93eb c003 f0ac d485 751f  3.1..a........u.
 0x0060:  8a17 02e8 ef5b 1b75 7854 8180 70b8 cf1c  .....[.uxT..p...
 0x0070:  e0bb 1f5c e3d2 803a cbfb 2875 1b19 ecee  ...\...:..(u....
 0x0080:  1731 4c85 5b81 91ee 33dc 751e e2b8 9f0c  .1L.[...3.u.....
 0x0090:  59cf aefc 3ebc d344 ca84 4e52 22cb c2e0  Y...>..D..NR"...
 0x00a0:  abe0 e3d4 93cf 3d7d b140 10db f89b 5ff0  [EMAIL PROTECTED]
 0x00b0:  cdbc 569a b693 bede 0411 249c a64e 32a3  ..V.......$..N2.
 0x00c0:  78ca 9c0e 3006 78f6 35b9 e1ad 43c3 daa6  x...0.x.5...C...
 0x00d0:  af73 77a6 dbc9 06a1 2213 2875 20b2 e572  .sw.....".(u...r
 0x00e0:  d804 af27 1ef9 cd00 53f0 bc2b 7be3 3d7a  ...'....S..+{.=z
 0x00f0:  fee4 ef9e da5f 2632 40c2 8cb2 fa75 0a80  ....._&[EMAIL PROTECTED]
 0x0100:  67d0 9eb9 adcf 16d9 437b e1ab e599 73e5  g.......C{....s.
 0x0110:  44d3 2100 6559 4123 19e9 d31f 4268 032f  D.!.eYA#....Bh./
 0x0120:  4b9e 4b8f 864e f2b6 e616 53a0 38c7 0a19  K.K..N....S.8...
 0x0130:  40fc 80ab 9e04 ff00 9142 c7fe da7f e8c6  @........B......
 0x0140:  a00c ff00 05ff 00c8 c3e2 7ffa fbff 00d9  ................
 0x0150:  e4ae c280 39ff 001d ff00 c8a1 7dff 006c  ....9.......}..l
 0x0160:  ff00 f462 d4d6 5649 a978 2ed6 ca4d a04f  ...b..VI.x...M.O
 0x0170:  611a 6e65 ddb4 9418 6c7b 1c1f c280 38df  a.ne....l{....8.
 0x0180:  05c1 36a1 add9 4371 1489 168f 13ee 4914  ..6...Cq......I.
 0x0190:  95f3 0bb1 e41f badf 37d7 f77f 96e7 8d3f  ........7......?
 0x01a0:  e461 f0c7 fd7d ff00 ecf1 d001 e34f f918  .a...}.......O..
 0x01b0:  7c31 ff00 5f7f fb3c 7537 8c2c 2f62 bab2  |1.._..<u7.,/b..
 0x01c0:  d774 885a 5bdb 43b1 9150 bef4 39ed 9ed9  .t.Z[.C..P..9...
 0x01d0:  2381 9f9b 3918 a00a bff0 b061 bab7 f2b4  #...9......a....
 0x01e0:  fd36 ee5d 41d3 e48b 6865 dd8e 7a1c 9039  .6.]A...he..z..9
 0x01f0:  3d06 71db b5e8 6c6f 6c3c 0b7f 1ea5 712c  =.q...lol<....q,
 0x0200:  f76f 6d33 c864 94c9 b328 70a0 fb00 3d79  .om3.d...(p...=y
 0x0210:  cd00 4de0 4ff9 142c 7fed a7fe 8c6a cdf1  ..M.O..,.....j..
 0x0220:  359d ee91 af47 e24d 3606 9916 322f 230c  5....G.M6...2/#.
 0x0230:  4654 6064 f39e 98e8 3036 64d0 0477 7e35  FT`d....06d..w~5
 0x0240:  3abd ac96 3e1f b1bc 92f6 61b0 3328 5f2d  :...>.....a.3(_-
 0x0250:  4f05 b2ac                                O...

Tutto il restante traffico ICMP, sono normalissimi echo request e replay (in 
formato MS):

22:29:35.447574 IP (tos 0x0, ttl 32, id 3326, offset 0, flags [none], proto 
ICMP (1), length 60) i_point0.cimad.flo.it > cimad1.cimad.flo.it: ICMP echo 
request, id 512, seq 9728, length 40
 0x0000:  4500 003c 0cfe 0000 2001 7c4a c0a8 c71f  E..<......|J....
 0x0010:  c0a8 c908 0800 275e 0200 2600 4142 4344  ......'^..&.ABCD
 0x0020:  4546 4748 494a 4b4c 4d4e 4f50 5152 5354  EFGHIJKLMNOPQRST
 0x0030:  5556 5741 4243 4445 4647 4849            UVWABCDEFGHI
22:29:35.447965 IP (tos 0x0, ttl 127, id 21874, offset 0, flags [none], proto 
ICMP (1), length 60) cimad1.cimad.flo.it > i_point0.cimad.flo.it: ICMP echo 
reply, id 512, seq 9728, length 40
 0x0000:  4500 003c 5572 0000 7f01 d4d5 c0a8 c908  E..<Ur..........
 0x0010:  c0a8 c71f 0000 2f5e 0200 2600 4142 4344  ....../^..&.ABCD
 0x0020:  4546 4748 494a 4b4c 4d4e 4f50 5152 5354  EFGHIJKLMNOPQRST
 0x0030:  5556 5741 4243 4445 4647 4849            UVWABCDEFGHI

A cosa può essere dovuto, o a cosa possa servire questo traffico, secondo il 
vostro parere?

Grazie in anticipo.

Alfredo

(*)a cosa tutto serva tutto questo traffico di echo, mi rimane un mistero




      Unisciti alla community di Io fotografo e video, il nuovo corso di 
fotografia di Gazzetta dello sport:
http://www.flickr.com/groups/iofotografoevideo
________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

[ml] Traffico anomalo in Active Directory

Rispondere a