Protocol 17 is actually UDP. By sending spoofed UDP packets to either UDP port 7 (echo) or UDP port 19 (chargen), it is possible for an attacker to generate an amplified denial of service attack similar to the common smurf attack. This type of UDP amplification DoS attack is know as a "fraggle" attack. Most likely the source addresses you are seeeing, are actually that of the victim machines. For more information, visit: http://www.codetalker.com/whitepapers/dos-smurf.html Patrick Harrison Senior Security Eng. ICSA.net On Thu, 19 Apr 2001, Amin Tora wrote: > Looks like they were trying to hit all systems on your network on the > chargen port (TCP:19, character generator). > > > Amin Tora, CISSP > ePlus Technology > http://www.eplus.com > NASDAQ: PLUS > > -----Original Message----- > From: Mike Tibor [mailto:tiborat_private] > Sent: Wednesday, April 18, 2001 11:43 PM > To: INCIDENTSat_private > Subject: Weird Broadcast Traffic > > > Anyone have any idea what might cause this: > > Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17 > 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1) > Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17 > 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1) > > I have more (~13KB) at http://www.lib.uaa.alaska.edu/~tibor/broadcast.txt. > > I started seeing this stuff at about 02:30 this morning, and it lasted > roughly 12 hours. There were 5 unique source addresses: one from > sprintlink.net, two in Germany, and one from Italy, however all of the > packets show a TTL of 234. Would this indicate the source addresses were > likely spoofed, and the computer generating the traffic is relatively > close (within a few hops)? > > I would greatly appreciate any hints or pointers anyone can give me. > > Thanks, > Mike > -- > Mike Tibor Univ. of Alaska Anchorage (907) 786-1001 voice > Network Technician Consortium Library (907) 786-6050 fax > tiborat_private http://www.lib.uaa.alaska.edu/~tibor/ > http://www.lib.uaa.alaska.edu/~tibor/pgpkey for PGP public key >
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:24:46 PDT