Trying to identify UDP DOS/Flood tool

From: Johan Augustsson (johan.augustssonat_private)
Date: Fri Jan 11 2002 - 06:13:00 PST

  • Next message: Jerry Perser: "New DNS connection with SYN ACK"

    Recently one of our systems became target for what I believe is some
    sort of DOS attack. 2536 packets with a payload of 4064 bytes was sent
    in 58 seconds divided in nine (9) src/dst-ports.
    
    A simple calculation shows that this generated about 1.7 Mbps, not so
    much in our case but more then what I think is normal.
    
    What disturbs me is that the packets are a little funny. The payload is
    always 4064 bytes and just a loop of the same character. The src-port is
    the same as the dst-port and the UDP len is always the same value as the
    port number. The UDP len thing looks more like a mistake from the coder,
    instead of doing it right it's just the same value as the portnumbers.
    
    What I try to figure out is what caused this traffic, does anyone
    recognize the pattern?
    
    
    
    Ports used:
    
    12593 <-> 12953
    12850 <-> 12850
    13107 <-> 13107
    13364 <-> 13364
    13878 <-> 13878
    14135 <-> 14135
    14392 <-> 14392
    14649 <-> 14649
    
    
    
    Excerpt from Snort-log
    
    Pv4: 216.21.131.49 -> 130.241.*.*
    hlen=5 TOS=0 dlen=9856 ID=34240 flags=0 offset=0 TTL=38 chksum=29538
    UDP:  port=13878 -> dport: 13878 len=13878
    Payload:  length = 4064
    
    000 : 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36   6666666666666666
    010 : 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36   6666666666666666
    ..................
    
    
    #(1 - 2450) [2002-01-11 04:04:06] [arachNIDS/247]  MISC Large UDP Packet
    IPv4: 216.21.131.49 -> 130.241.*.*
    hlen=5 TOS=0 dlen=5853 ID=34353 flags=0 offset=0 TTL=38 chksum=33428
    UDP:  port=14135 -> dport: 14135 len=14135
    Payload:  length = 4064
    
    000 : 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37   7777777777777777
    010 : 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37   7777777777777777
    ..................
    
    
    Johan Augustsson
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 08:32:06 PST