RE: DDoS to microsoft sites

From: John Campbell (jcampbellat_private)
Date: Tue Jan 29 2002 - 16:03:52 PST

  • Next message: Bronek Kozicki: "Re: DDoS to microsoft sites"

    I've noticed 1025 and 1026 open on some members of our Win2K fleet.  1026 is
    open on my own machine.  Fport (www.foundstone.com) links 1026 to lsass.exe.
    Not sure why some have it and others don't, although my machine is running
    Server SP2.  I've found a couple of machines with 1025 open, am looking into
    it.
    
    John Campbell, GCWN
    Information Security Engineer
    Washington School Information Processing Cooperative (WSIPC)
    E-mail: jcampbellat_private
    
    
    
    -----Original Message-----
    From: Mike Lewinski [mailto:mikeat_private] 
    Sent: Tuesday, January 29, 2002 3:24 PM
    To: incidentsat_private
    Subject: DDoS to microsoft sites
    
    
    We've observed two disparate clients apparently rooted (both are Win2K I
    believe), being used to packet flood a variety of Microsoft sites (msn.com,
    hotmail.com and microsoft.com itself).
    
    Just a few seconds of IP accounting showed:
    
    Destination              Packets               Bytes
     64.4.32.251                  14201            20940508
     207.68.171.254               11862            17764328
     64.4.32.1                    12142            18184104
     207.46.197.102               59698            89401960
    
    These clients are on very different CIDR blocks (from the first octet). We
    don't have any further information at this time, other than one client
    saturated their T1 and the other saturated a 10Mb/s connection.
    
    I haven't observed any noticeable impacts to the microsoft sites being
    attacked. We have been able to track back the activity on MRTG graphs to
    last Thurs for both clients. We investigated the traffic volume the first
    day it appeared and at that time saw what appeared to be an attack against
    two hosts in .fr and one in .de. The client assured us at this time it was
    legitimate traffic.
    
    A port scan of one of the infected hosts shows:
    
         7  Echo
         9  Discard
        13  Daytime
        17  Quote of the Day
        19  Character Generator
        21  File Transfer Protocol [Control]
        25  Simple Mail Transfer
        80  World Wide Web HTTP
       135  DCE endpoint resolution
       139  NETBIOS Session Service
       443  https  MCom
       445  Microsoft-DS
       548  AFP over TCP
      1025  network blackjack
      1026
      1027  ICQ?
      1433  Microsoft-SQL-Server
      5631  pcANYWHEREdata
    
    The client claims that they are not running Appletalk (548) but I'm not sure
    whether to believe. We haven't been able to get console access to that
    machine to do any further investigation (but have blocked it upstream). Of
    the above services, most look legit from what I can tell with the exception
    of 548 and 1025-1027
    
    Mike
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service. For more
    information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:32:32 PST