Mike, 194.72.6.103 resolves to to chat.bt.net, which is an IRC server in the .uk. I would bet my money this was DoS (smurf?) attack, and you were intended to be an amplifier for the attack. The source addresses you see in your logs are spoofed by the attacker. Proto 17 is UDP. A revised version of smurf.c, papasmurf.c, has the option to send spoofed UDP packets to broadcasts addresses to amplify the data, which in turn causes a dos to the victim. More information this type of DoS can be found at http://www.pentics.net/denial-of-service/white-papers/smurf.cgi hope this helps -ryan ----- Original Message ----- From: "Mike Tibor" <tiborat_private> To: <INCIDENTSat_private> Sent: Wednesday, April 18, 2001 10:42 PM Subject: Weird Broadcast Traffic Anyone have any idea what might cause this: Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1) Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1) I have more (~13KB) at http://www.lib.uaa.alaska.edu/~tibor/broadcast.txt. I started seeing this stuff at about 02:30 this morning, and it lasted roughly 12 hours. There were 5 unique source addresses: one from sprintlink.net, two in Germany, and one from Italy, however all of the packets show a TTL of 234. Would this indicate the source addresses were likely spoofed, and the computer generating the traffic is relatively close (within a few hops)? I would greatly appreciate any hints or pointers anyone can give me. Thanks, Mike -- Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice Network Technician Consortium Library (907) 786-6050 fax tiborat_private http://www.lib.uaa.alaska.edu/~tibor/ http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 07:30:27 PDT