RE: Strange attack question - seems udp

From: Joshua Berry (JBerry_at_PENSON.COM)
Date: 10/17/05

  • Next message: Carles Fragoso i Mariscal: "Re: Strange attack question - seems udp" 
    Date: Mon, 17 Oct 2005 09:30:37 -0500
To: "Mihai Tanasescu" <mihai@duras.ro>, <incidents@securityfocus.com>

    You don't see any ports because these are packet fragments (hence the
    "offset <number>"). This looks like some sort of malicious traffic
    because the offset of each sequential packet is wrong, the next offset
    is starting before the last one ended. These overlapping values are an
    older type of attack called a Teardrop attack.

    -----Original Message-----
    From: Mihai Tanasescu [mailto:mihai@duras.ro]
    Sent: Thursday, October 13, 2005 1:09 PM
    To: incidents@securityfocus.com
    Subject: Strange attack question - seems udp

    Hello,

    I've been getting things like these recently:

    21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp
    21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp 21:00:52.941640 IP (tos
    0x0, ttl 127, id 28639, offset 17760, flags [+],
    length: 1500) 86.104.102.16 > 70.84.247.164: udp

    I have 24 subnets inside a Cisco 3750.

    After receiving many packets like these on 3-4 interfaces, Cisco starts
    loosing packets and acts abnormal.

    I have gathered the output show above from a Linux machine with tcpdump
    which acts as a border router.

    What I find strange is that there is no port specified (src,dst) and
    that the length of the packets is always 1500.

    Is there any way to filter something like this on the Cisco switch ?

    Is it caused by a virus or by a human ? (I have seen it from 3-4
    different interfaces at a time and with 4-6 different destination IPs)

    Any help will be greatly appreciated.

    Sorry if I have posted this to the wrong list.

  • Next message: Carles Fragoso i Mariscal: "Re: Strange attack question - seems udp"

    Relevant Pages

    • Re: works on console but not when writing to a string or file
      ... I would think that what's strange is that your code doesn't work, not that some other code does. ... System.Console.Write(Encoding.ASCII.GetString(data, offset, ... in the outputdata string the last packets gets chopped off. ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: An idiom for code generation with exec
      ... suggest that there's a better way to achieve this, without using exec, ... The packets that arrive have a known format. ... that the procedure of extracting field values from packets is very ...
      (comp.lang.python)
    • Re: ipfw+syn
      ... > fine on a FreeBSD machine without ipfwrunning. ... Dropping packets like this is desired and valid. ... legitimate reason for their existence. ... offset of 2, but are dropped for similar reasons. ...
      (FreeBSD-Security)
    • Filter packet based on offset
      ... I want to filter the packets based on offset in the packet. ... station Id which is offset 20 after UDP packet. ...
      (comp.os.linux.security)
    • [NEWS] Cisco IOS Interface Blocked by IPv4 Packets
      ... Cisco routers and switches running Cisco IOSŪ software and configured to ... Multiple IPv4 packets with specific ... protocol fields sent directly to the device may cause the input interface ... device to incorrectly flag the input queue on an interface as full. ...
      (Securiteam)