On Sat, 19 Jul 2003, Michal Zalewski wrote: > This traffic is then followed by a storm of ip-proto-55 packets with > increasing TTLs from a similar source (this is exhibit #12 in the > museum, posted with full packet dumps and such). What's going on? I've just realized ip-proto-55 was one of the possible vectors for the latest Cisco IOS vulnerability, so it is possible that this particular aspect of the observed traffic is just a DoS attempt. The observed traffic seems to be considerably different from what is generated by the publicly available exploit (shadowchode, see http://www.netsys.com). This one generates considerably shorter packets with no payload, and increases TTL subsequently, see previous post: 22:53:00.340000 80.50.156.4 > 195.117.3.59: ip-proto-55 0 (ttl 2, id 60107) 4500 0014 eacb 0000 0237 1b01 5032 9c04 c375 033b 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 035a 383d I've isolated the packet, could anyone test http://lcamtuf.coredump.cx/mine.c against a vulnerable Cisco? Thanks again, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-07-19 21:49 -- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jul 19 2003 - 16:20:19 PDT