Strange attack question - seems udp

From: Mihai Tanasescu (mihai_at_duras.ro)
Date: 10/13/05

  • Next message: Joshua Berry: "RE: Strange attack question - seems udp" 
    Date: Thu, 13 Oct 2005 21:09:27 +0300
To: incidents@securityfocus.com

    Hello,

    I've been getting things like these recently:

    21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp

    I have 24 subnets inside a Cisco 3750.

    After receiving many packets like these on 3-4 interfaces, Cisco starts
    loosing packets and acts abnormal.

    I have gathered the output show above from a Linux machine with tcpdump
    which acts as a border router.

    What I find strange is that there is no port specified (src,dst) and
    that the length of the packets is always 1500.

    Is there any way to filter something like this on the Cisco switch ?

    Is it caused by a virus or by a human ? (I have seen it from 3-4
    different interfaces at a time and with 4-6 different destination IPs)

    Any help will be greatly appreciated.

    Sorry if I have posted this to the wrong list.

  • Next message: Joshua Berry: "RE: Strange attack question - seems udp"
    • Quantcast