Re: Rise in spoofing and smurfing?

From: Stuart Sheldon (stu@actusa.net)
Date: 03/01/02


Date: Fri, 01 Mar 2002 09:16:01 -0800
From: Stuart Sheldon <stu@actusa.net>
To: Glenn Forbes Fleming Larratt <glratt@io.com>

We've been seeing the same activity since Wednesday... Looks like our
range is being spoofed to attack DNS servers. It's not affecting us at
this time.

We have also seen an increase in port scans (mostly for squid and other
proxy servers) against us from an ap source... Welcome to the wonderful
world of the internet... :)

Stuart Sheldon

Glenn Forbes Fleming Larratt wrote:
>
> In our educational Class B (obfuscated as 299.299.0.0/16 below), we've
> seen a much higher than normal incidence,
>
> 1. in the last week or two, of what appear to be smurf attempts, e.g.
> (mildly filtered Cisco syslogs):
>
> Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet
> Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet
> Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet
> :
> :
> Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet
> Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet
> Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet
>
> 2. in the last three days, of indications of our address space being
> spoofed in huge quantity, presumably as part of DoS, decoy scanning,
> or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many
> cases implying "stimulus" hosts that don't exist in out network
> [subnets 108 and 93 are unallocated within our Class B]):
>
> 02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 > 207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56)
> 02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56)
>
> Has anyone seen similar behavior?
>
> -g
> --
> Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-)
> glratt@io.com http://www.io.com/~glratt
> There are imaginary bugs to chase in heaven.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
The early bird who catches the worm works for someone who comes in late
and owns the worm farm.
		-- Travis McGee

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com