GTBot ( a DDOS agent ) uses IP protocol 255 to communicate, sometimes large and/or small packets, and sometimes fragmented. Its quite capable of flooding most gateways, and connects to an IRC channel as you describe. You'd best read Dave Dittrich's paper at : http://staff.washington.edu/dittrich/talks/core02/xdcc-analysis.txt and look for the symptoms that he describes on the Win2k box. Kerry DY said: > Hi all, > > I'm quite surprised at the lack of material I'm turning up in > researching this issue, so I'm resorting to this post. Please feel free > to point me somewhere. > > Twice in the past week I have experienced a severe DOS condition on my > network. A particular host has been completely flooding the network > with some sort of traffic that chokes the whole thing. Now, on the > first incident I was unable to obtain packet trace data (I'll spare the > details) and was forced to reconnect the particular segment's port. We > got by for a few days, and then wham, it happened again. This time I > isolated the segment with a Snort sensor and captured a large amount of > data (actually, I only sniffed for a few seconds before I'd already > swallowed about 10 MB of data, all of which was identical, so I > stopped). My Snort output on this trace was filled with nothing but > bizillions of these entries (payload did vary a little): > > > 03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57 > PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80 > 45 10 00 3C B5 F5 40 00 40 06 E8 85 CD A2 E9 48 E..<..@.@......H > 40 0C A5 39 D3 A6 1A 0B BC C0 DE 3C 00 00 00 00 @..9.......<.... > A0 02 7D 78 D3 8E 00 00 02 04 05 B4 04 02 08 0A ..}x............ > 00 CD 7F 52 52 00 00 00 01 03 03 00 ...RR....... > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > > > > The source IP is from a private network that I run, which uses basic > NAT, so I can certainly route and identify the host, as this capture is > from the private side of the NAT router. Now, here's the Snort alert > entry (again, just thousands of this same entry): > > > [**] [1:1627:1] BAD TRAFFIC Unassigned/Reserved IP protocol [**] > [Classification: Detection of a non-standard protocol or event] > [Priority: 2] > 03/13-07:53:11.032136 10.1.2.3 -> 64.12.165.57 > PROTO255 TTL:128 TOS:0x0 ID:23977 IpLen:20 DgmLen:80 > > > Now, I've read up on the Snort signature that generates this alert (SID > 1627). It says that it's bad traffic (of course) using an unassigned > protocol, which of course the alert states. However, I'm not finding > anything (Google, Usenet, etc.) that leads me toward the proper analysis > of what this machine was doing. All I know is: > > 1) The machine runs Win2K pro. > 2) The user has no idea what's going on, of course, and has scanned his > machine with the latest AV updates, with no viri found. > 3) IP address 64.12.165.57, the destination for this complete flood of > "bad traffic," resolves (reverse) to irc-m.icq.aol.com. > 4) There was so much of this traffic that it shut my network down. My > main router (Cisco) reported no appreciable CPU consumption during the > attack. It just appears that the sheer volume of the [bad] packets > choked everybody out. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:15:22 PST