Re: What sort of attack is this?

From: Momchil Velikov (velco@fadata.bg)
Date: 09/17/01 

To: Don Felgar <dfelgar@rainierinternet.com>
Subject: Re: What sort of attack is this?
From: Momchil Velikov <velco@fadata.bg>
Date: 17 Sep 2001 10:47:25 +0300
Message-ID: <m3vgiip8c2.fsf@freon.briz.fadata.bg>

>>>>> "Don" == Don Felgar <dfelgar@rainierinternet.com> writes:

Don> Hello all,
Don> I've got a couple of related questions

Don> Several times lately my I've seen an apparent bind attack. As you can
Don> see port 53 is blocked on that particular host -- actually the host

This looks like a portscan. I somehow doubt it is an attack, given the
presence of ACK.

Don> isn't running bind anyway. There were 77 attempts to access port 53
Don> from perhaps 20 unrelated hosts over the course of eight seconds.

Look more and more like a stealth scan (term?), probably one of those
addresses is the attacker's and all the others are spoofed.

Don> Sep 11 23:11:23 cyrus IN=eth0 OUT= MAC=00:a0:cc:40:a1:d1:00:04:c1:3f:0a:e4:08:00 SRC=194.205.125.26 DST=<my-host-ip-addr> LEN=44 TOS=0x00 PREC=0x00 TTL=230 ID=0 PROTO=TCP SPT=28796 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0
Don> Sep 11 23:11:23 cyrus IN=eth0 OUT= MAC=00:a0:cc:40:a1:d1:00:04:c1:3f:0a:e4:08:00 SRC=202.139.133.129 DST=<my-host-ip-addr> LEN=44 TOS=0x00 PREC=0x00 TTL=245 ID=0 PROTO=TCP SPT=54418 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0
Don> Sep 11 23:11:23 cyrus IN=eth0 OUT= MAC=00:a0:cc:40:a1:d1:00:04:c1:3f:0a:e4:08:00 SRC=203.194.166.182 DST=<my-host-ip-addr> LEN=44 TOS=0x00 PREC=0x00 TTL=232 ID=0 PROTO=TCP SPT=51440 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0
Don> Sep 11 23:11:23 cyrus IN=eth0 OUT= MAC=00:a0:cc:40:a1:d1:00:04:c1:3f:0a:e4:08:00 SRC=207.55.138.206 DST=<my-host-ip-addr> LEN=44 TOS=0x00 PREC=0x00 TTL=237 ID=0 PROTO=TCP SPT=35503 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0
Don> Sep 11 23:11:23 cyrus IN=eth0 OUT= MAC=00:a0:cc:40:a1:d1:00:04:c1:3f:0a:e4:08:00 SRC=208.184.162.71 DST=<my-host-ip-addr> LEN=44 TOS=0x00 PREC=0x00 TTL=243 ID=0 PROTO=TCP SPT=39424 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0

Regards,
-velco

Relevant Pages

  • Re: What sort of attack is this?
    ... What sort of attack is this? ... > I've got a couple of related questions ... > see port 53 is blocked on that particular host -- actually the host ... There were 77 attempts to access port 53 ...
    (Focus-Linux)
  • What sort of attack is this?
    ... Several times lately my I've seen an apparent bind attack. ... see port 53 is blocked on that particular host -- actually the host ... Normally there are only a few attempts per week to access port 53 on ...
    (Focus-Linux)
  • [NEWS] IGMP Denial of Service Vulnerability
    ... We consider different scenarios in which such an attack can be launched. ... Host H1 and H2 are connected to a router R using a hub. ... soliciting for membership reports from the hosts in the network it is ... now R doesn't receive any membership reports for the group ...
    (Securiteam)
  • Re: Target based IDS review and discussion in Information Security
    ... > 1) A URL attack is seen by the sensor affecting Windows IIS. ... > each and every step we took to investigate the attack (from IDS ... > impacted host to manually verify if the attack was successful or not. ... Automated forensics are useful and a nice step forward but if the ...
    (Focus-IDS)
  • The Art of Unspoofing
    ... stack allows anyone to send spoofed packets to a target host, ... the ability of its administrator to determine the origin of the attack. ... then can it inject the malicious packets. ... host of the attack or their nameserver. ...
    (Focus-IDS)