Re: Possible ICMP DOS spoofed to Nameservers?

From: Gary Losito (garyat_private)
Date: Mon Dec 31 2001 - 05:33:37 PST

Next message: Valdis.Kletnieksat_private: "Re: Microsoft's Early Xmas Present."

Previous message: David Correa: "Re: port 6699 scans"
In reply to: Richard Gilman: "Possible ICMP DOS spoofed to Nameservers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While I haven't been seeing ICMP messages, I have been seeing a large number of ssh attempts coming from a growing list of nameservers.  The attempts are happening at a rate of approximately 3-5 per minute.  I'd be glad to share the list if anyone is interested.

Gary


On 30 Dec 2001 19:52 EST you wrote:

> I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and
> destine to our name servers. While doing a tcpdump I see no outbound
> packets with a destination directed toward the sites sending the ICMP
> unreachable messages. So I'm assuming that someone is spoofing the
> addresses of our name servers to ping flood the 2 sites. However we are
> only receiving the unreachable messages at a rate of approximately 5 to
> 10 per minute. What I find interesting is that only our name server
> addresses are being spoofed and those name servers are located on 2
> entirely different class 'C' address space and at entirely different
> physical locations (same domain though). The packet traces show that the
> addresses sending the unreachable messages are most likely firewalls or
> border routers denying ICMP because the unreachable hosts are not the
> ones sending the unreachable messages. I started seeing messages from
> one site (Microsoft) at 2001/12/23-00:04:22 PST and the other site
> (Keesler Air Force Base) at 2001/12/28-07:17:11 PST and they are still
> going as I write this.
> 
>  
> 
> Is anyone else seeing anything like this?
> 
>  
> 
> Is there a DDOS currently going on that happens to cycle through a list
> of name servers as spoofed sources?
> 
>  
> 
> Thanks,
> 
> Rich
> 
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: Microsoft's Early Xmas Present."
Previous message: David Correa: "Re: port 6699 scans"
In reply to: Richard Gilman: "Possible ICMP DOS spoofed to Nameservers?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 31 2001 - 09:18:59 PST