On Wed, 11 Apr 2001 15:43:11 EDT, Mike Worman <wormanat_private> said: > Apr 11 12:33:10 211.33.122.158:33895 -> x.y.z.100:33444 UDP > Apr 11 12:33:14 211.33.122.158:33938 -> x.y.z.118:33444 UDP 43 packets difference, and 4 seconds... > Apr 11 12:33:25 211.33.122.158:34038 -> x.y.z.22:33444 UDP 59 - or 42 plus 17. and 11 seconds.. > Apr 11 12:33:27 211.33.122.158:34055 -> x.y.z.23:33444 UDP It hit z.22, and took 17 more packets to hit z.23. Consistent with a distance of 17 hops. Notice only 2 seconds to do that traceroute. > Apr 11 12:33:31 211.33.122.158:34097 -> x.y.z.33:33444 UDP Took 42 packets here. And 4 seconds clock time. I'll place bets the other 2 seconds and 25 packets were a traceroute to a bum host that your IDS didn't see? Let's summarize so far: 43pack/4sec - 17/2 for the sucessfull trace, and 25/2 to a dead host. 59/11 - 17/2, after a 17/2 to a host you didn't trace, and a 25/7 to a dead 17/2 - 17/2 to a sucessfull host... 42/4 - 17/2, after a 25/2 to a dead host... > Apr 11 12:33:39 211.33.122.158:34170 -> x.y.z.5:33444 UDP 73/8. 17/2 for host z.5, another 25 for a dead host, and 2 traceroutes that got terminated after 16 hops because your router threw an ICMP Host Unreachable back. > Apr 11 12:33:48 211.33.122.158:34256 -> x.y.z.67:33444 UDP 86. And burnt 9 seconds. 85 is 5 * 17, bet he poked at 4 other machines in between. Looks to me like traceroute to host after host, with a TTL of 25 on his packets, and your IDS isn't seeing every host the attacker is poking at.. The fact he poked the addresses 100, 118, 18, 22, 23, 33, 5, 67 is interesting. They're not sorted numerically, but by ascii collating. This sort of indicates to me that he managed a zone transfer of your DNS and is using that for his address list.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 11:17:23 PDT