Re: Weird Broadcast Traffic

From: Patrick Harrison (pharrisonat_private)
Date: Thu Apr 19 2001 - 13:16:08 PDT

Next message: Crist Clark: "Re: More weird scans"

Previous message: Mike Tibor: "Re: Weird Broadcast Traffic"
In reply to: Amin Tora: "Re: Weird Broadcast Traffic"
Next in thread: Mike Tibor: "Re: Weird Broadcast Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Protocol 17 is actually UDP.  By sending spoofed UDP packets to either UDP
port 7 (echo) or UDP port 19 (chargen), it is possible for an attacker to
generate an amplified denial of service attack similar to the common smurf
attack.  This type of UDP amplification DoS attack is know as a "fraggle"
attack.  Most likely the source addresses you are seeeing, are actually
that of the victim machines.  For more information, visit:

http://www.codetalker.com/whitepapers/dos-smurf.html

Patrick Harrison
Senior Security Eng.
ICSA.net

On Thu, 19 Apr 2001, Amin Tora wrote:

> Looks like they were trying to hit all systems on your network on the
> chargen port (TCP:19, character generator).
>
>
> Amin Tora, CISSP
> ePlus Technology
> http://www.eplus.com
> NASDAQ: PLUS
>
> -----Original Message-----
> From: Mike Tibor [mailto:tiborat_private]
> Sent: Wednesday, April 18, 2001 11:43 PM
> To: INCIDENTSat_private
> Subject: Weird Broadcast Traffic
>
>
> Anyone have any idea what might cause this:
>
> Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17
> 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1)
> Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17
> 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1)
>
> I have more (~13KB) at http://www.lib.uaa.alaska.edu/~tibor/broadcast.txt.
>
> I started seeing this stuff at about 02:30 this morning, and it lasted
> roughly 12 hours.  There were 5 unique source addresses: one from
> sprintlink.net, two in Germany, and one from Italy, however all of the
> packets show a TTL of 234.  Would this indicate the source addresses were
> likely spoofed, and the computer generating the traffic is relatively
> close (within a few hops)?
>
> I would greatly appreciate any hints or pointers anyone can give me.
>
> Thanks,
> Mike
> --
> Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
> Network Technician     Consortium Library         (907) 786-6050 fax
> tiborat_private       http://www.lib.uaa.alaska.edu/~tibor/
> http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key
>

Next message: Crist Clark: "Re: More weird scans"
Previous message: Mike Tibor: "Re: Weird Broadcast Traffic"
In reply to: Amin Tora: "Re: Weird Broadcast Traffic"
Next in thread: Mike Tibor: "Re: Weird Broadcast Traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:24:46 PDT