Don't know how common this is, but my guess is pretty darn common:
A sysadmin reported an intrusion on a fairly well-protected server--it has a private IP address, and no static NAT, so theoretically it would be very difficult for anyone to access it from outside our network. But there was a reported intrusion from 162.244.33.104 (morrisgraves.clientshostname.com). Firewall logs showed lines like these:
6/25/2015 00:25 ... src_ip=162.244.33.104, src_port=80, dst_ip=[our.external.IP.addr], dst_port=62391 ... pckt_len=40, ttl=53
6/25/2015 00:32 ... src_ip=162.244.33.104, src_port=80, dst_ip=[our.external.IP.addr], dst_port=65172 ... pckt_len=40, ttl=52
6/25/2015 00:39 ... src_ip=162.244.33.104, src_port=80, dst_ip=[our.external.IP.addr], dst_port=51802 ... pckt_len=40, ttl=52
That is, many packets from the same host's port 80 (http) to our public IP address + random high-value ports: i.e., to address+port combinations that might, with luck, be identical to existing dynamic NATs of hosts running web browsers. Of course, if you just keep trying, you don't need much luck--eventually you'll hit a working dynamic NAT and your packet will be forwarded right to a host inside the network.
It's simple but kind of slick. My guess is if one of those 40-byte packets gets to a host with the right Trojan running on it, all kinds of fun ensues.
Has anyone else seen this?
A sysadmin reported an intrusion on a fairly well-protected server--it has a private IP address, and no static NAT, so theoretically it would be very difficult for anyone to access it from outside our network. But there was a reported intrusion from 162.244.33.104 (morrisgraves.clientshostname.com). Firewall logs showed lines like these:
6/25/2015 00:25 ... src_ip=162.244.33.104, src_port=80, dst_ip=[our.external.IP.addr], dst_port=62391 ... pckt_len=40, ttl=53
6/25/2015 00:32 ... src_ip=162.244.33.104, src_port=80, dst_ip=[our.external.IP.addr], dst_port=65172 ... pckt_len=40, ttl=52
6/25/2015 00:39 ... src_ip=162.244.33.104, src_port=80, dst_ip=[our.external.IP.addr], dst_port=51802 ... pckt_len=40, ttl=52
That is, many packets from the same host's port 80 (http) to our public IP address + random high-value ports: i.e., to address+port combinations that might, with luck, be identical to existing dynamic NATs of hosts running web browsers. Of course, if you just keep trying, you don't need much luck--eventually you'll hit a working dynamic NAT and your packet will be forwarded right to a host inside the network.
It's simple but kind of slick. My guess is if one of those 40-byte packets gets to a host with the right Trojan running on it, all kinds of fun ensues.
Has anyone else seen this?