Hi, This is my first post to this list (though lurking here has been most informative), and I apologise in advance if any of this is offtopic. I would very much appreciate some help in identifying the nature of a scan/attack on one of my servers earlier today. Snort picked up a series of packets of a wide range of protocols with seemingly random (and mostly invalid) source and destination IPs. This carried out continuously for about an hour. During this time, there was massive lag and packet loss (roughly 2000ms ping with 50% loss) to even hosts on the same (100MBit) switch even though MRTG showed only less than 5% of the link in use. After the scan/attack stopped, ping times immediately went back to normal. Has anyone else seen anything like this before? Excerpts of logs follow: ----- Jun 13 15:29:16 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IP} 16.0.155.69 -> 11.254.0.0 Jun 13 15:29:19 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {TCP} 0.0.136.8:0 -> 0.1.0.0:0 Jun 13 15:29:50 nemesis /kernel: arp: unknown hardware address format (0xd004) Jun 13 15:29:50 nemesis /kernel: arp: runt packet Jun 13 15:29:51 nemesis snort: [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! {MHRP} 59.144.0.250 -> 224.0.255.2 Jun 13 15:30:19 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {CHAOS} 171.133.96.4 -> 144.85.240.223 Jun 13 15:30:24 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IGMP} 151.196.71.254 -> 168.0.0.1 Jun 13 15:30:30 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO194} 155.64.11.14 -> 0.96.248.0 Jun 13 15:31:42 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {SAT-EXPAK} 155.5.202.0 -> 0.64.13.255 Jun 13 15:32:22 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO192} 128.0.128.248 -> 0.247.0.0 Jun 13 15:32:24 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IP} 0.8.128.8 -> 0.0.128.0 Jun 13 15:33:09 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO209} 59.5.10.14 -> 176.142.106.239 Jun 13 15:34:25 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO173} 169.0.136.152 -> 103.1.240.0 Jun 13 15:34:42 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IP} 0.250.42.91 -> 0.5.11.14 Jun 13 15:36:20 nemesis /kernel: arp: unknown hardware address format (0x0070) Jun 13 15:37:45 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {MHRP} 0.240.132.136 -> 0.1.0.0 Jun 13 15:38:20 nemesis /kernel: arp: unknown hardware address format (0x0681) Jun 13 15:38:50 nemesis snort: [116:2:1] (snort_decoder) WARNING: hlen < IP_HEADER_LEN! {VRRP} 155.69.251.238 -> 230.0.0.112 Jun 13 15:38:57 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {CHAOS} 59.128.10.11 -> 155.21.11.255 Jun 13 15:39:10 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {UDP} 240.0.245.104:0 -> 155.69.2.255:0 Jun 13 15:39:12 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {CRUDP} 11.70.11.0 -> 7.208.15.2 Jun 13 15:39:27 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {VRRP} 155.5.13.14 -> 0.0.6.16 Jun 13 15:44:10 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {UDP} 0.16.13.48:0 -> 0.69.229.59:0 Jun 13 15:44:11 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IPLT} 0.0.130.232 -> 203.1.0.0 Jun 13 15:44:59 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO192} 14.208.132.40 -> 240.8.0.240 Jun 13 15:45:56 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO192} 32.4.128.240 -> 0.7.0.0 Jun 13 15:47:10 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IP} 0.0.136.8 -> 0.1.0.0 Jun 13 15:47:17 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IPENCAP} 3.111.0.103 -> 0.11.7.48 Jun 13 15:48:36 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {TCP} 0.0.136.8:0 -> 0.1.0.0:0 Jun 13 15:48:48 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO192} 128.0.128.240 -> 0.102.0.0 Jun 13 15:48:50 nemesis snort: [116:2:1] (snort_decoder) WARNING: hlen < IP_HEADER_LEN! {XNET} 155.69.10.0 -> 155.0.11.239 Jun 13 15:49:53 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IP} 224.21.10.17 -> 144.69.11.255 Jun 13 15:49:54 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IPCV} 155.69.6.240 -> 144.0.214.102 Jun 13 15:49:54 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IPLT} 4.0.130.8 -> 203.7.0.0 Jun 13 15:52:00 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {PROTO241} 155.69.10.240 -> 144.0.87.102 Jun 13 15:52:35 nemesis snort: [116:2:1] (snort_decoder) WARNING: hlen < IP_HEADER_LEN! {CHAOS} 11.29.252.0 -> 155.100.11.255 Jun 13 15:54:20 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {TCP} 0.10.136.8:0 -> 0.1.0.0:0 Jun 13 15:58:08 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {TRUNK-2} 155.69.0.254 -> 11.192.143.15 Jun 13 15:59:28 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4 datagram! {IP} 4.1.0.0 -> 233.11.136.0 ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jun 13 2003 - 13:34:59 PDT