Re: Possible ICMP DOS spoofed to Nameservers?

From: Gary Losito (gary@losito.ws)
Date: 12/31/01 

Date: Mon, 31 Dec 2001 08:33:37 EST
From: Gary Losito <gary@losito.ws>
To: Richard Gilman <rgilman@myndzi.com>
To: incidents@securityfocus.com

While I haven't been seeing ICMP messages, I have been seeing a large number of ssh attempts coming from a growing list of nameservers. The attempts are happening at a rate of approximately 3-5 per minute. I'd be glad to share the list if anyone is interested.

Gary

On 30 Dec 2001 19:52 EST you wrote:

> I've been seeing ICMP Type 3 Code 13 messages coming from 2 sites and
> destine to our name servers. While doing a tcpdump I see no outbound
> packets with a destination directed toward the sites sending the ICMP
> unreachable messages. So I'm assuming that someone is spoofing the
> addresses of our name servers to ping flood the 2 sites. However we are
> only receiving the unreachable messages at a rate of approximately 5 to
> 10 per minute. What I find interesting is that only our name server
> addresses are being spoofed and those name servers are located on 2
> entirely different class 'C' address space and at entirely different
> physical locations (same domain though). The packet traces show that the
> addresses sending the unreachable messages are most likely firewalls or
> border routers denying ICMP because the unreachable hosts are not the
> ones sending the unreachable messages. I started seeing messages from
> one site (Microsoft) at 2001/12/23-00:04:22 PST and the other site
> (Keesler Air Force Base) at 2001/12/28-07:17:11 PST and they are still
> going as I write this.
>
>
>
> Is anyone else seeing anything like this?
>
>
>
> Is there a DDOS currently going on that happens to cycle through a list
> of name servers as spoofed sources?
>
>
>
> Thanks,
>
> Rich
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Possible ICMP DOS spoofed to Nameservers?
    ... destine to our name servers. ... packets with a destination directed toward the sites sending the ICMP ... addresses of our name servers to ping flood the 2 sites. ... only receiving the unreachable messages at a rate of approximately 5 to ...
    (Incidents)
  • Re: AD what tcp/ip port or registry settings?
    ... ICMP packets over a given size and/or you might have other devices setup to ... point to the same DNS servers) ... >> We have our domains controlers behind the firewall. ... >> OPENED PORTS ON THE FIREWALL seperating clients and servers. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Removing ping/icmp from a network
    ... You can limit ICMP. ... And I did say, as well as others, allow from trusted sources. ... the network and the answer is: ... servers I do allow some ICMP messages to/from ...
    (Security-Basics)
  • Re: DoS Vulnerability found in ISS BlackICE Defender
    ... This would explain why two of my servers ... load testing another IDS. ... REJECT statement to block type 8 ICMP. ... normal echo type ping. ...
    (Focus-IDS)
  • baffled: reoccurring Time Sync error on PDC FSMO domain controller in forrest rootdomain
    ... I use fictional names for the servers and the rootdomain. ... dc01 is setup as a reliable time source, ... ICMP: 66ms delay. ...
    (microsoft.public.win2000.general)