SNMP scans, DoS and a VIP crash
From: Kneppers (knepperm@cuug.ab.ca)Date: 12/24/01
- Previous message: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"
- Next in thread: Tyrannis Von Nettesheim: "RE: SNMP scans, DoS and a VIP crash"
- Reply: Tyrannis Von Nettesheim: "RE: SNMP scans, DoS and a VIP crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Dec 2001 10:00:44 -0700 (MST) From: Kneppers <knepperm@cuug.ab.ca> To: <incidents@securityfocus.com>
Hi
I had an incident on the weekend. Detected a lot of SNMP authorization
failures to my router from a customer for about 2 days, terminating in an
inbound DoS attack (SYN-flood) targetting the customer.
I suspect the customer machine is compromised and used for scanning ..
maybe running an IRC bot as well, which caused the focused DoS attack.
The bit I'm curious about is that the exact same interface on my router
experienced some VIP crashes (device is a Cisco 7513) during the same
time, and often times very close to the scans. We've had other problems
with VIP crashes on the 7513, but I'm always suspicious when associated
with malicious activity.
Anybody seen similar activity where a scan or DoS takes out a card?
Possibly a scanning tool generating funny packets?
Thanks for any info
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Loki: "NT Compromise -- UPDATE (UDP Flood SRC=53)"
- Next in thread: Tyrannis Von Nettesheim: "RE: SNMP scans, DoS and a VIP crash"
- Reply: Tyrannis Von Nettesheim: "RE: SNMP scans, DoS and a VIP crash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
