RE: unidentified DOS "bad traffic"

From: David Gillett (gillettdavid@fhda.edu)
Date: 03/14/03

  • Next message: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations." 
    From: "David Gillett" <gillettdavid@fhda.edu>
To: <incidents@securityfocus.com>
Date: Thu, 13 Mar 2003 15:26:41 -0800

      We've seen a couple of incidents similar to this lately
    (although we haven't been able to capture as much detail).

      My working hypothesis is that this is an attempt at a
    DDoS aimed at "irc-m.icq.aol.com", but that due to a bug
    or design error, it takes down the source network instead.

      We did see flooding that brought down internal traffic
    without loading the routers. The routers did, however, log
    a spike in inbound traffic volume right around that time,
    suggesting an external trigger mechanism....

    David Gillett

    > -----Original Message-----
    > From: DY [mailto:dybulk@tri8.net]
    > Sent: March 13, 2003 13:54
    > To: incidents@securityfocus.com
    > Subject: unidentified DOS "bad traffic"
    >
    >
    > Hi all,
    >
    > I'm quite surprised at the lack of material I'm turning up in
    > researching
    > this issue, so I'm resorting to this post. Please feel free
    > to point me
    > somewhere.
    >
    > Twice in the past week I have experienced a severe DOS condition on my
    > network. A particular host has been completely flooding the
    > network with
    > some sort of traffic that chokes the whole thing. Now, on the first
    > incident I was unable to obtain packet trace data (I'll spare
    > the details)
    > and was forced to reconnect the particular segment's port.
    > We got by for
    > a few days, and then wham, it happened again. This time I
    > isolated the
    > segment with a Snort sensor and captured a large amount of
    > data (actually,
    > I only sniffed for a few seconds before I'd already swallowed
    > about 10 MB
    > of data, all of which was identical, so I stopped). My Snort
    > output on
    > this trace was filled with nothing but bizillions of these entries
    > (payload did vary a little):
    >
    >
    > 03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57
    > PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80
    > 45 10 00 3C B5 F5 40 00 40 06 E8 85 CD A2 E9 48 E..<..@.@......H
    > 40 0C A5 39 D3 A6 1A 0B BC C0 DE 3C 00 00 00 00 @..9.......<....
    > A0 02 7D 78 D3 8E 00 00 02 04 05 B4 04 02 08 0A ..}x............
    > 00 CD 7F 52 52 00 00 00 01 03 03 00 ...RR.......
    >
    > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    > =+=+=+=+=+=+
    >
    >
    >
    > The source IP is from a private network that I run, which
    > uses basic NAT,
    > so I can certainly route and identify the host, as this
    > capture is from
    > the private side of the NAT router. Now, here's the Snort alert entry
    > (again, just thousands of this same entry):
    >
    >
    > [**] [1:1627:1] BAD TRAFFIC Unassigned/Reserved IP protocol [**]
    > [Classification: Detection of a non-standard protocol or
    > event] [Priority:
    > 2]
    > 03/13-07:53:11.032136 10.1.2.3 -> 64.12.165.57
    > PROTO255 TTL:128 TOS:0x0 ID:23977 IpLen:20 DgmLen:80
    >
    >
    > Now, I've read up on the Snort signature that generates this
    > alert (SID
    > 1627). It says that it's bad traffic (of course) using an unassigned
    > protocol, which of course the alert states. However, I'm not finding
    > anything (Google, Usenet, etc.) that leads me toward the
    > proper analysis
    > of what this machine was doing. All I know is:
    >
    > 1) The machine runs Win2K pro.
    > 2) The user has no idea what's going on, of course, and has
    > scanned his
    > machine with the latest AV updates, with no viri found.
    > 3) IP address 64.12.165.57, the destination for this complete flood of
    > "bad traffic," resolves (reverse) to irc-m.icq.aol.com.
    > 4) There was so much of this traffic that it shut my network down. My
    > main router (Cisco) reported no appreciable CPU consumption during the
    > attack. It just appears that the sheer volume of the [bad]
    > packets choked
    > everybody out.
    >
    >
    > So, I know of no exploit, no virus, no known malicious
    > destination (which
    > might lead me to an exploit)...and yet I had no throughput
    > (except for the
    > "bad traffic").
    >
    > Can anybody give me a clue, or at least point me somewhere (probably
    > obvious) that I seem to be missing? I might post to the
    > Snort-users list
    > as well, I guess, in case anybody there has ideas.
    >
    > Many TIA,
    > --
    > DY
    >
    > --------------------------------------------------------------
    > --------------
    >
    > <Pre>Lose another weekend managing your IDS?
    > Take back your personal time.
    > 15-day free trial of StillSecure Border Guard.</Pre>
    > <A href="http://www.securityfocus.com/stillsecure">
    http://www.securityfocus.com/stillsecure </A>

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: Q=F3rhallur_H=E1lfd=E1narson?=: "Re: CodeRed Observations."

    Relevant Pages