We've seen a couple of incidents similar to this lately (although we haven't been able to capture as much detail). My working hypothesis is that this is an attempt at a DDoS aimed at "irc-m.icq.aol.com", but that due to a bug or design error, it takes down the source network instead. We did see flooding that brought down internal traffic without loading the routers. The routers did, however, log a spike in inbound traffic volume right around that time, suggesting an external trigger mechanism.... David Gillett > -----Original Message----- > From: DY [mailto:dybulkat_private] > Sent: March 13, 2003 13:54 > To: incidentsat_private > Subject: unidentified DOS "bad traffic" > > > Hi all, > > I'm quite surprised at the lack of material I'm turning up in > researching > this issue, so I'm resorting to this post. Please feel free > to point me > somewhere. > > Twice in the past week I have experienced a severe DOS condition on my > network. A particular host has been completely flooding the > network with > some sort of traffic that chokes the whole thing. Now, on the first > incident I was unable to obtain packet trace data (I'll spare > the details) > and was forced to reconnect the particular segment's port. > We got by for > a few days, and then wham, it happened again. This time I > isolated the > segment with a Snort sensor and captured a large amount of > data (actually, > I only sniffed for a few seconds before I'd already swallowed > about 10 MB > of data, all of which was identical, so I stopped). My Snort > output on > this trace was filled with nothing but bizillions of these entries > (payload did vary a little): > > > 03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57 > PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80 > 45 10 00 3C B5 F5 40 00 40 06 E8 85 CD A2 E9 48 E..<..@.@......H > 40 0C A5 39 D3 A6 1A 0B BC C0 DE 3C 00 00 00 00 @..9.......<.... > A0 02 7D 78 D3 8E 00 00 02 04 05 B4 04 02 08 0A ..}x............ > 00 CD 7F 52 52 00 00 00 01 03 03 00 ...RR....... > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > =+=+=+=+=+=+ > > > > The source IP is from a private network that I run, which > uses basic NAT, > so I can certainly route and identify the host, as this > capture is from > the private side of the NAT router. Now, here's the Snort alert entry > (again, just thousands of this same entry): > > > [**] [1:1627:1] BAD TRAFFIC Unassigned/Reserved IP protocol [**] > [Classification: Detection of a non-standard protocol or > event] [Priority: > 2] > 03/13-07:53:11.032136 10.1.2.3 -> 64.12.165.57 > PROTO255 TTL:128 TOS:0x0 ID:23977 IpLen:20 DgmLen:80 > > > Now, I've read up on the Snort signature that generates this > alert (SID > 1627). It says that it's bad traffic (of course) using an unassigned > protocol, which of course the alert states. However, I'm not finding > anything (Google, Usenet, etc.) that leads me toward the > proper analysis > of what this machine was doing. All I know is: > > 1) The machine runs Win2K pro. > 2) The user has no idea what's going on, of course, and has > scanned his > machine with the latest AV updates, with no viri found. > 3) IP address 64.12.165.57, the destination for this complete flood of > "bad traffic," resolves (reverse) to irc-m.icq.aol.com. > 4) There was so much of this traffic that it shut my network down. My > main router (Cisco) reported no appreciable CPU consumption during the > attack. It just appears that the sheer volume of the [bad] > packets choked > everybody out. > > > So, I know of no exploit, no virus, no known malicious > destination (which > might lead me to an exploit)...and yet I had no throughput > (except for the > "bad traffic"). > > Can anybody give me a clue, or at least point me somewhere (probably > obvious) that I seem to be missing? I might post to the > Snort-users list > as well, I guess, in case anybody there has ideas. > > Many TIA, > -- > DY > > -------------------------------------------------------------- > -------------- > > <Pre>Lose another weekend managing your IDS? > Take back your personal time. > 15-day free trial of StillSecure Border Guard.</Pre> > <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:17:39 PST