Re: Strange attack question - seems udp

From: Carles Fragoso i Mariscal (cfragoso_at_cesca.es)
Date: 10/17/05

  • Next message: David Gillett: "RE: Strange attack question - seems udp" 
    Date: Mon, 17 Oct 2005 16:27:37 +0200
To: Mihai Tanasescu <mihai@duras.ro>

    Hi Mihai,

    Mihai Tanasescu wrote:
    > 21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+],
    > length: 1500) 86.104.102.16 > 70.84.247.164: udp
    > 21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+],
    > length: 1500) 86.104.102.16 > 70.84.247.164: udp
    > 21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+],
    > length: 1500) 86.104.102.16 > 70.84.247.164: udp
    > 21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+],
    > length: 1500) 86.104.102.16 > 70.84.247.164: udp
    > 21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+],
    > length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >
    > After receiving many packets like these on 3-4 interfaces, Cisco starts
    > loosing packets and acts abnormal.
    >
    > What I find strange is that there is no port specified (src,dst) and
    > that the length of the packets is always 1500.

    It seems to be fragmented traffic. Because the original IP packet
    payload is splitted into pieces, layer-4 header (TCP, UDP) is only
    included on the first packet. That's the reason you can't see the ports
    on IP packets where offset is different than 0.

    Does the destination IP belong to the router/multilayer switch?
    Reassembling is done on destination host so fragments should only have
    impact on router/switch if it is acting as end host. That could be a
    reason of poor performance.

    ---------------------------------------------------------------------
    Carlos Fragoso Mariscal - Network & Security Engineer/Incident Handler
    Anella Cientifica RREN Incident Response Team (ERIAC) AS13041 CFM1-RIPE
    Communications and Operations Dept.-Supercomputing Center of Catalonia
      CCNA CCNP* GSEC GCFW GCIH GREM GHTQ SSP-MPA
    cfragoso@cesca.es phone:+34932056464 pgp:0x0E4EDE07 inocdba:13041*CFM
    ---------------------------------------------------------------------

  • Next message: David Gillett: "RE: Strange attack question - seems udp"

    Relevant Pages

    • Re: Strange attack question - seems udp
      ... Thanks for explainning the reason for udp ports not appearing in the ... Well the Cisco 3750 is the gateway for my clients and not the ... >>that the length of the packets is always 1500. ...
      (Incidents)
    • posible latency issues in seq_read
      ... It appears that for some reason the networking softirq is not being handled in a timely fashion, which means that the rx ring buffer fills up and packets overflow. ... While we're in the syscall we cannot run the softirqd thread, and so the rx buffer is not being cleaned. ...
      (Linux-Kernel)
    • IP Options filtering
      ... This seems to be the last "black area" for me in the ISA 2004 configuration. ... packets with the selected IP options” ... What is a possible reason to prohibit IP options? ... situations in which I should change the default settings? ...
      (microsoft.public.isa.configuration)
    • IP Options filtering
      ... This seems to be the last "black area" for me in the ISA 2004 configuration. ... packets with the selected IP options” ... What is a possible reason to prohibit IP options? ... situations in which I should change the default settings? ...
      (microsoft.public.isa)
    • Re: wierd dsl performance with -CURRENT
      ... Luckily, the packets were resent quickly, and transmission ... > .2 second delay for some reason. ... ftp program, normally that is 160KB/sec, and the average is around ... around the average you saw in the graphs. ...
      (freebsd-current)