Re: Rise in spoofing and smurfing?

From: Stuart Sheldon (stuat_private)
Date: Fri Mar 01 2002 - 09:16:01 PST

Next message: Byrne Ghavalas: "Update: UDP 770 Potential Worm"

Previous message: Boyan Krosnov: "RE: Suspect short first fragment?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We've been seeing the same activity since Wednesday... Looks like our
range is being spoofed to attack DNS servers. It's not affecting us at
this time.

We have also seen an increase in port scans (mostly for squid and other
proxy servers) against us from an ap source... Welcome to the wonderful
world of the internet... :)

Stuart Sheldon


Glenn Forbes Fleming Larratt wrote:
> 
> In our educational Class B (obfuscated as 299.299.0.0/16 below), we've
> seen a much higher than normal incidence,
> 
> 1. in the last week or two, of what appear to be smurf attempts, e.g.
> (mildly filtered Cisco syslogs):
> 
> Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet
> Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet
> Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet
>         :
>         :
> Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet
> Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet
> Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet
> 
> 2. in the last three days, of indications of our address space being
> spoofed in huge quantity, presumably as part of DoS, decoy scanning,
> or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many
> cases implying "stimulus" hosts that don't exist in out network
> [subnets 108 and 93 are unallocated within our Class B]):
> 
> 02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 > 207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56)
> 02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56)
> 
> Has anyone seen similar behavior?
> 
>         -g
> --
> Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
> glrattat_private                        http://www.io.com/~glratt
> There are imaginary bugs to chase in heaven.
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
The early bird who catches the worm works for someone who comes in late
and owns the worm farm.
		-- Travis McGee

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Byrne Ghavalas: "Update: UDP 770 Potential Worm"
Previous message: Boyan Krosnov: "RE: Suspect short first fragment?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 10:59:55 PST