Re: unidentified DOS "bad traffic"

From: Alain Fauconnet (alain@cscoms.net)
Date: 03/14/03

  • Next message: David Moisan: "Re: [unisog] Re: Port 109 Mystery" 
    Date: Fri, 14 Mar 2003 10:55:31 +0700
From: Alain Fauconnet <alain@cscoms.net>
To: DY <dybulk@tri8.net>

    Hello,

    On Thu, Mar 13, 2003 at 03:53:59PM -0600, DY wrote:
    >
    > Twice in the past week I have experienced a severe DOS condition on my
    > network. A particular host has been completely flooding the network with
    > some sort of traffic that chokes the whole thing. Now, on the first
    > incident I was unable to obtain packet trace data (I'll spare the details)
    > and was forced to reconnect the particular segment's port. We got by for
    > a few days, and then wham, it happened again. This time I isolated the
    > segment with a Snort sensor and captured a large amount of data (actually,
    > I only sniffed for a few seconds before I'd already swallowed about 10 MB
    > of data, all of which was identical, so I stopped). My Snort output on
    > this trace was filled with nothing but bizillions of these entries
    > (payload did vary a little):
    >
    >
    > 03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57
    > PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80

    Looks very close to something I've experienced recently as well. My
    research has pointed me to the following places:

    http://lists.insecure.org/lists/incidents/2002/May/0026.html
    http://cert.uni-stuttgart.de/archive/incidents/2002/05/msg00026.html

    This is about a DoS and warez distribution IRC BOT. It uses IP
    protocol 255 also.

    > "bad traffic," resolves (reverse) to irc-m.icq.aol.com.

    Same for me! also 2 other IPs in cable.midspring.com and
    mdweb1.c.mad.interhost.com (Spain)

    > 4) There was so much of this traffic that it shut my network down. My
    > main router (Cisco) reported no appreciable CPU consumption during the
    > attack. It just appears that the sheer volume of the [bad] packets choked
    > everybody out.

    Ditto.

    Hope that helps,
    _Alain_

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

  • Next message: David Moisan: "Re: [unisog] Re: Port 109 Mystery"

    Relevant Pages

    • RE: unidentified DOS "bad traffic"
      ... (although we haven't been able to capture as much detail). ... it takes down the source network instead. ... My Snort ... > Take back your personal time. ...
      (Incidents)
    • Re: SNORT: IP Filtering Question
      ... >testing and setting up a SNORT sensor for our network. ... >ip addresses like our e-mail server and ICMP broadcasts from the ... >internal router. ...
      (comp.security.firewalls)
    • Re: SNORT ON A SECURE NETWORK
      ... > I want to know how I can configure my Snort sensor to listen on my LAN ... > network. ... Ought to have all you need. ...
      (comp.os.linux.security)