Re: What am I seeing?

• Previous message: Valdis.Kletnieks@vt.edu: "Re: What am I seeing?"
• Maybe in reply to: jkruser: "What am I seeing?"
• Next in thread: Richard.Smith@predictive.com: "Re: What am I seeing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Bill_Royds@pch.gc.ca
To: "jkruser" <jkruser@adelphia.net>
Message-ID: <85256AEE.0056C444.00@pch.gc.ca>
Date: Tue, 23 Oct 2001 11:47:21 -0400
Subject: Re: What am I seeing?

I would check your network hardware first. lots of packets with 0.0.0.0
destination addresses happen if noise hits a switch/router . Since there
is short fragments etc., it will appear to be a fraggle attack.
I would put a tester at various hub connection pioints and look for
garbage on the ethernet. Especially look for bad ethernet addresses and
non standard protocols.

To:
incidents@securityfocus.com
cc:
focus-ids@securityfocus.com, vuln-dev@securityfocus.com(bcc: Bill
Royds/HullOttawa/PCH/CA)

Subject:
What am I seeing?

Sorry about the crosspost but I am really in a pickle. I know this is a
DoS,
but how is it being done? The origination points are all over my C-net but
I
cannot believe all of these hosts are compromised. Any idea's on how to
stop/track this?

59, 2001-10-23 02:57:25, 2002001, SNMP Corrupt, MY.C.BLOCK.175, , 0.0.0.0,
,
, 1
79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1
79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.233, , 0.0.0.0, , dstport=17&srcport=549, 1
79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.58, , 0.0.0.0, , dstport=19&srcport=17541, 1
59, 2001-10-23 02:58:10, 2002001, SNMP Corrupt, MY.C.BLOCK.200, , 0.0.0.0,
,
, 1
79, 2001-10-23 02:58:12, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.212, , 0.0.0.0, , dstport=7&srcport=36679, 1
79, 2001-10-23 02:58:12, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.92, , 0.0.0.0, , dstport=17&srcport=50187, 1
59, 2001-10-23 02:58:19, 2002001, SNMP Corrupt, MY.C.BLOCK.72, , 0.0.0.0,
,
, 1
79, 2001-10-23 02:58:23, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.65, , 0.0.0.0, , dstport=7&srcport=63300, 1
79, 2001-10-23 02:58:23, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.197, , 0.0.0.0, , dstport=17&srcport=38775, 1
79, 2001-10-23 02:58:23, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.127, , 0.0.0.0, , dstport=19&srcport=54070, 1
59, 2001-10-23 02:58:25, 2002001, SNMP Corrupt, MY.C.BLOCK.125, , 0.0.0.0,
,
, 1
59, 2001-10-23 02:59:27, 2002001, SNMP Corrupt, MY.C.BLOCK.109, , 0.0.0.0,
,
, 1
79, 2001-10-23 02:59:29, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.117, , 0.0.0.0, , dstport=7&srcport=13929, 1
79, 2001-10-23 02:59:29, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.26, , 0.0.0.0, , dstport=19&srcport=22847|47998, 2
79, 2001-10-23 02:59:36, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.48, , 0.0.0.0, , dstport=7&srcport=35113, 1
59, 2001-10-23 02:59:55, 2002001, SNMP Corrupt, MY.C.BLOCK.224, , 0.0.0.0,
,
, 1
79, 2001-10-23 03:00:07, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.226, , 0.0.0.0, , dstport=7&srcport=30975, 1
79, 2001-10-23 03:00:07, 2000205, Possible Fraggle attack initiated,
MY.C.BLOCK.36, , 0.0.0.0, , dstport=17&srcport=17726, 1

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Previous message: Valdis.Kletnieks@vt.edu: "Re: What am I seeing?"
• Maybe in reply to: jkruser: "What am I seeing?"
• Next in thread: Richard.Smith@predictive.com: "Re: What am I seeing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Malicious web sites ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) Re: [incident] IIS defacement through FTP, possible DoS ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Distributed ICMP/UDP scan or attack? ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ... (Incidents) Re: strange attacks - flood udp packets from 1030 to msql ... > This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ... (Incidents) RE: Can anyone identify this backdoor? ... > and tracking system please see: http://aris.securityfocus.com ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... (Incidents)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint