RE: UDP traffic to net and broadcast addresses

From: Joshua Wright (Joshua.Wrightat_private)
Date: Thu Apr 03 2003 - 11:53:11 PST

Next message: aladin168: "Re: Increase in Source to Port 445"

Previous message: Nick Jacobsen: "Re: Logon.dll? Possible root-kit?"
Maybe in reply to: Zen: "UDP traffic to net and broadcast addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zen,

Sounds like a Fraggle attack (though it's pretty slow to be effective), where you might be an amplifier.  Is the source address (a.b.c.d) an address that you recognize?

If your customer doesn't need it, make sure "no ip directed-broadcast" is applied to their router interfaces that are connected to broadcast-medium (e.g. Ethernet).  I'm pretty comfortable dropping traffic destined to a broadcast address at my enclave router, but your requirements may vary.

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wrightat_private 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

> 	debugging on a customer router I trampled over some unusual
> 	traffic pattern: it is composed by
> 	udp packets,
> 	always from the same ip address	
> 	random source port
> 	directed to the network and broadcast addresses of a network
> 	random destination port
> 
> 	time-spaced around 2 seconds.
> 
> 	This is an example from the logs
> 
> Apr  2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(14673) -> bcast-addr(146), 1 packet
> Apr  2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(41383) -> bcast-addr(558), 1 packet
> Apr  2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(17499) -> bcast-addr(328), 1 packet
> Apr  2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(1124) -> bcast-addr(940), 1 packet
> Apr  2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(32969) -> bcast-addr(549), 1 packet
> Apr  2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(19998) -> net-addr(112), 1 packet
> Apr  2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(24405) -> net-addr(251), 1 packet
> Apr  2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
> a.b.c.d(6827) -> bcast-addr(497), 1 packet

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Next message: aladin168: "Re: Increase in Source to Port 445"
Previous message: Nick Jacobsen: "Re: Logon.dll? Possible root-kit?"
Maybe in reply to: Zen: "UDP traffic to net and broadcast addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 16:51:33 PST