Possible DOS?

From: Robert Buckley (rbuckleyat_private)
Date: Fri Apr 12 2002 - 11:12:10 PDT

  • Next message: mike maxwell: "Re: <victim>server formmail.pl exploit in the wild"

    Howdy,
    
    Our internal dns server seems to be a target of sorts.
    Below is a snort capture that depicts frag traffic coming from both our
    external dns servers 
    at just about the same exact time, to a single internal dns server....
    The 1st thing to note is that there is absolutely no reason for traffic to
    be fragged here.
    The second thing is that both the DF and MF bits are set.
    
    [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
    [Classification: Misc activity] [Priority: 3]
    04/12-09:51:25.017423 external.xxx.xxx.3 -> internal.xxx.xxx.105 
    UDP TTL:255 TOS:0x0 ID:6253 IpLen:20 DgmLen:1500 DF MF
    Frag Offset: 0x0 Frag Size: 0x5A6 [**] 
    [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
    [Classification: Misc activity] [Priority: 3]
    04/12-09:51:31.461959 external.xxx.xxx.3  -> internal.xxx.xxx.105 
    UDP TTL:255 TOS:0x0 ID:6259 IpLen:20 DgmLen:1500 DF MF
    Frag Offset: 0x0 Frag Size: 0x5A6
    [**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
    [Classification: Misc activity] [Priority: 3]
    04/12-09:51:26.458693 external.xxx.xxx.25 -> internal.xxx.xxx.105 
    UDP TTL:255 TOS:0x0 ID:12851 IpLen:20 DgmLen:1500 DF MF
    Frag Offset: 0x0 Frag Size: 0x5A6
    The payload for all 3 packets sent are exactly the same:
    .5.5..^.X......>.....116.75.185.212.in-addr.arpa................
    ..www.sfwelt.net..............mail.sundr.de..............mail.df
    lash.`.............mail.=.............mail.sqreal.com...........
    ...mail.suzana.info..............mail.anagemo.`.............mail
    .anagemo...............mail.anagemo.D.............mail.m3-tele..
    .............mail.sat-fun.`.............mail.d1-punkt.`.........
    ....mail.ecentrum.`.............mail.men-sana.`.............mail
    .men-sana...............mail.men-sana.D.............mail.riphous
    e...............mail.d1-mobile.`.............mail.e-zentrum.D...
    ..........mail.insoftpro.`.............mail.insoftpro...........
    ....mail.insoftpro.D.............mail.insoftpro...............ma
    il.m3telecom.`.............mail.mexicaner.D.............mail.flu
    gzettel.`.............mail.flugzettel...............mail.flugzet
    tel.D.............mail.luftsprung...............mail.m3-telecom.
    ..............mail.warez-clan.`.............mail.wurfzettel.....
    ..........mail.wurfzettel.D.............mail.dz-exklusiv.`......
    .......mail.lern-zentrum...............mail.m3solarworld.`......
    .......mail.m3solarworld...............mail.modelservice.D......
    .......mail.stojadinovic...............mail.auktionsplatz.......
    ........mail.davesribhouse...............mail.davesriphouse.....
    ..........mail.fashionagancy.D.............mail.trading-point...
    ............mail.trading-point...............mail.tuning-center.
    D.............mail.wochenwerbung.`.... 
    
    And a minute later the internal dns server sends back whats expected, an
    icmp frag reassembly exceeded.
    
    [**] ICMP Fragment Reassembly Time Exceeded [**]
    04/12-09:52:25.007563 internal.xxx.xxx.105 -> external.xxx.xxx.3
    ICMP TTL:254 TOS:0x0 ID:52650 IpLen:20 DgmLen:112 DF
    Type:11  Code:1  TTL EXCEEDED
    E....m`....4.......i.5.5..^.X......>.....116.75.185.212.in-addr.
    arpa................
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    [**] ICMP Fragment Reassembly Time Exceeded [**]
    04/12-09:52:55.006459 internal.xxx.xxx.105 -> external.xxx.xxx.25
    ICMP TTL:254 TOS:0x0 ID:35841 IpLen:20 DgmLen:112 DF
    Type:11  Code:1  TTL EXCEEDED
    E...23`....W.......i.5.5..j.mU.....>.....116.75.185.212.in-addr.
    arpa................
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    [**] ICMP Fragment Reassembly Time Exceeded [**]
    04/12-09:52:55.006497 internal.xxx.xxx.105 -> external.xxx.xxx.3
    ICMP TTL:254 TOS:0x0 ID:52666 IpLen:20 DgmLen:112 DF
    Type:11  Code:1  TTL EXCEEDED
    E....s`............i.5.5.....7.....>.....116.75.185.212.in-addr.
    arpa................
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    We use a Pix520 between the external and internal DNS hosts, and sysopt
    security fraguard is enabled.
    Obviously it got past the pix520. Not to mention 1/2 of those mail addresses
    in the payload appear to 
    be of a german twist, and the 116.75.185.212.in-addr resolves at ripe as
    
    inetnum: 212.185.75.112 - 212.185.75.119 
    netname: TECHNOTRADE-GMBH-NET 
    descr: Technotrade GmbH descr: D-90443 Nuernberg 
    descr: Germany 
    country: DE 
    
    Has anyone seen anything like this before or have an idea what happened?
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 11:53:39 PDT