Re: unidentified DOS "bad traffic"

From: Alain Fauconnet (alainat_private)
Date: Thu Mar 13 2003 - 19:55:31 PST

Next message: David Moisan: "Re: [unisog] Re: Port 109 Mystery"

Previous message: larosa, vjay: "RE: CodeRed Observations."
In reply to: DY: "unidentified DOS "bad traffic""
Next in thread: Jason Falciola: "Re: unidentified DOS "bad traffic""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Thu, Mar 13, 2003 at 03:53:59PM -0600, DY wrote:
> 
> Twice in the past week I have experienced a severe DOS condition on my
> network.  A particular host has been completely flooding the network with
> some sort of traffic that chokes the whole thing.  Now, on the first
> incident I was unable to obtain packet trace data (I'll spare the details)
> and was forced to reconnect the particular segment's port.  We got by for
> a few days, and then wham, it happened again.  This time I isolated the
> segment with a Snort sensor and captured a large amount of data (actually,
> I only sniffed for a few seconds before I'd already swallowed about 10 MB
> of data, all of which was identical, so I stopped).  My Snort output on
> this trace was filled with nothing but bizillions of these entries
> (payload did vary a little):
> 
> 
> 03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57
> PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80

Looks very close to something I've experienced recently  as  well.  My
research has pointed me to the following places:

http://lists.insecure.org/lists/incidents/2002/May/0026.html
http://cert.uni-stuttgart.de/archive/incidents/2002/05/msg00026.html

This is about a DoS  and  warez  distribution  IRC  BOT.  It  uses  IP
protocol 255 also.


> "bad traffic," resolves (reverse) to irc-m.icq.aol.com.

Same  for  me!  also  2   other   IPs   in   cable.midspring.com   and
mdweb1.c.mad.interhost.com (Spain)

> 4) There was so much of this traffic that it shut my network down.  My
> main router (Cisco) reported no appreciable CPU consumption during the
> attack.  It just appears that the sheer volume of the [bad] packets choked
> everybody out.

Ditto.

Hope that helps,
_Alain_

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: David Moisan: "Re: [unisog] Re: Port 109 Mystery"
Previous message: larosa, vjay: "RE: CodeRed Observations."
In reply to: DY: "unidentified DOS "bad traffic""
Next in thread: Jason Falciola: "Re: unidentified DOS "bad traffic""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 14 2003 - 09:23:45 PST