Re: Weird Broadcast Traffic

From: Patrick Harrison (pharrisonat_private)
Date: Thu Apr 19 2001 - 13:16:08 PDT

  • Next message: Crist Clark: "Re: More weird scans"

    Protocol 17 is actually UDP.  By sending spoofed UDP packets to either UDP
    port 7 (echo) or UDP port 19 (chargen), it is possible for an attacker to
    generate an amplified denial of service attack similar to the common smurf
    attack.  This type of UDP amplification DoS attack is know as a "fraggle"
    attack.  Most likely the source addresses you are seeeing, are actually
    that of the victim machines.  For more information, visit:
    
    http://www.codetalker.com/whitepapers/dos-smurf.html
    
    Patrick Harrison
    Senior Security Eng.
    ICSA.net
    
    On Thu, 19 Apr 2001, Amin Tora wrote:
    
    > Looks like they were trying to hit all systems on your network on the
    > chargen port (TCP:19, character generator).
    >
    >
    > Amin Tora, CISSP
    > ePlus Technology
    > http://www.eplus.com
    > NASDAQ: PLUS
    >
    > -----Original Message-----
    > From: Mike Tibor [mailto:tiborat_private]
    > Sent: Wednesday, April 18, 2001 11:43 PM
    > To: INCIDENTSat_private
    > Subject: Weird Broadcast Traffic
    >
    >
    > Anyone have any idea what might cause this:
    >
    > Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17
    > 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1)
    > Apr 18 02:29:33 asimov kernel: Packet log: input DENY eth0 PROTO=17
    > 194.72.6.103:43697 255.255.255.255:19 L=28 S=0x00 I=1 F=0x0000 T=234 (#1)
    >
    > I have more (~13KB) at http://www.lib.uaa.alaska.edu/~tibor/broadcast.txt.
    >
    > I started seeing this stuff at about 02:30 this morning, and it lasted
    > roughly 12 hours.  There were 5 unique source addresses: one from
    > sprintlink.net, two in Germany, and one from Italy, however all of the
    > packets show a TTL of 234.  Would this indicate the source addresses were
    > likely spoofed, and the computer generating the traffic is relatively
    > close (within a few hops)?
    >
    > I would greatly appreciate any hints or pointers anyone can give me.
    >
    > Thanks,
    > Mike
    > --
    > Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
    > Network Technician     Consortium Library         (907) 786-6050 fax
    > tiborat_private       http://www.lib.uaa.alaska.edu/~tibor/
    > http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key
    >
    



    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:24:46 PDT