Recently one of our systems became target for what I believe is some sort of DOS attack. 2536 packets with a payload of 4064 bytes was sent in 58 seconds divided in nine (9) src/dst-ports. A simple calculation shows that this generated about 1.7 Mbps, not so much in our case but more then what I think is normal. What disturbs me is that the packets are a little funny. The payload is always 4064 bytes and just a loop of the same character. The src-port is the same as the dst-port and the UDP len is always the same value as the port number. The UDP len thing looks more like a mistake from the coder, instead of doing it right it's just the same value as the portnumbers. What I try to figure out is what caused this traffic, does anyone recognize the pattern? Ports used: 12593 <-> 12953 12850 <-> 12850 13107 <-> 13107 13364 <-> 13364 13878 <-> 13878 14135 <-> 14135 14392 <-> 14392 14649 <-> 14649 Excerpt from Snort-log Pv4: 216.21.131.49 -> 130.241.*.* hlen=5 TOS=0 dlen=9856 ID=34240 flags=0 offset=0 TTL=38 chksum=29538 UDP: port=13878 -> dport: 13878 len=13878 Payload: length = 4064 000 : 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666 010 : 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666 .................. #(1 - 2450) [2002-01-11 04:04:06] [arachNIDS/247] MISC Large UDP Packet IPv4: 216.21.131.49 -> 130.241.*.* hlen=5 TOS=0 dlen=5853 ID=34353 flags=0 offset=0 TTL=38 chksum=33428 UDP: port=14135 -> dport: 14135 len=14135 Payload: length = 4064 000 : 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 7777777777777777 010 : 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 7777777777777777 .................. Johan Augustsson ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 08:32:06 PST