unidentified DOS "bad traffic"

From: DY (dybulk@tri8.net)
Date: 03/13/03

  • Next message: Kerry Thompson: "Re: unidentified DOS 'bad traffic'" 
    Date: Thu, 13 Mar 2003 15:53:59 -0600 (CST)
From: DY <dybulk@tri8.net>
To: incidents@securityfocus.com

    Hi all,

    I'm quite surprised at the lack of material I'm turning up in researching
    this issue, so I'm resorting to this post. Please feel free to point me
    somewhere.

    Twice in the past week I have experienced a severe DOS condition on my
    network. A particular host has been completely flooding the network with
    some sort of traffic that chokes the whole thing. Now, on the first
    incident I was unable to obtain packet trace data (I'll spare the details)
    and was forced to reconnect the particular segment's port. We got by for
    a few days, and then wham, it happened again. This time I isolated the
    segment with a Snort sensor and captured a large amount of data (actually,
    I only sniffed for a few seconds before I'd already swallowed about 10 MB
    of data, all of which was identical, so I stopped). My Snort output on
    this trace was filled with nothing but bizillions of these entries
    (payload did vary a little):

    03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57
    PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80
    45 10 00 3C B5 F5 40 00 40 06 E8 85 CD A2 E9 48 E..<..@.@......H
    40 0C A5 39 D3 A6 1A 0B BC C0 DE 3C 00 00 00 00 @..9.......<....
    A0 02 7D 78 D3 8E 00 00 02 04 05 B4 04 02 08 0A ..}x............
    00 CD 7F 52 52 00 00 00 01 03 03 00 ...RR.......

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    The source IP is from a private network that I run, which uses basic NAT,
    so I can certainly route and identify the host, as this capture is from
    the private side of the NAT router. Now, here's the Snort alert entry
    (again, just thousands of this same entry):

    [**] [1:1627:1] BAD TRAFFIC Unassigned/Reserved IP protocol [**]
    [Classification: Detection of a non-standard protocol or event] [Priority:
    2]
    03/13-07:53:11.032136 10.1.2.3 -> 64.12.165.57
    PROTO255 TTL:128 TOS:0x0 ID:23977 IpLen:20 DgmLen:80

    Now, I've read up on the Snort signature that generates this alert (SID
    1627). It says that it's bad traffic (of course) using an unassigned
    protocol, which of course the alert states. However, I'm not finding
    anything (Google, Usenet, etc.) that leads me toward the proper analysis
    of what this machine was doing. All I know is:

    1) The machine runs Win2K pro.
    2) The user has no idea what's going on, of course, and has scanned his
    machine with the latest AV updates, with no viri found.
    3) IP address 64.12.165.57, the destination for this complete flood of
    "bad traffic," resolves (reverse) to irc-m.icq.aol.com.
    4) There was so much of this traffic that it shut my network down. My
    main router (Cisco) reported no appreciable CPU consumption during the
    attack. It just appears that the sheer volume of the [bad] packets choked
    everybody out.

    So, I know of no exploit, no virus, no known malicious destination (which
    might lead me to an exploit)...and yet I had no throughput (except for the
    "bad traffic").

    Can anybody give me a clue, or at least point me somewhere (probably
    obvious) that I seem to be missing? I might post to the Snort-users list
    as well, I guess, in case anybody there has ideas.

    Many TIA, 

    --
DY
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
  • Next message: Kerry Thompson: "Re: unidentified DOS 'bad traffic'"

    Relevant Pages

    • Re: Snort and ip_filter on the same machine
      ... Snort and ip_filter on the same machine ... Depending on how you set up the Snort rules and the ipf rules, ... then Snort by default will alert on those. ... But, for a production network, ...
      (Focus-IDS)
    • Re: Windows based (H)IDS
      ... It may seems so obvious that snort library is very ... Security but it is a commercial product. ... > softwares can be added to the ... > over a network. ...
      (Focus-IDS)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Please Help - Strange problem with my servers - Locked out
      ... > The other server is directly connected to the Internet ... > I have a workstation on the WORK network. ... > The WORK network can talk to both HOME and COLO ... > Does snort drop packets? ...
      (comp.security.firewalls)
    • Re: newbie needs help with iptables basics (please)
      ... >I have RTFM (man iptables) and have read several docs off the net and pages ... Implement Multi-Router Traffic Grapher to establish network ... discuss & plan the implementation of Snort 2.0 Intrustion ... Install Snort 2.0 Network-based Intrusion Detection System ...
      (comp.os.linux.security)