RE: Strange attack question - seems udp

• Previous message: Carles Fragoso i Mariscal: "Re: Strange attack question - seems udp"
• In reply to: Mihai Tanasescu: "Strange attack question - seems udp"
• Next in thread: Mihai Tanasescu: "Re: Strange attack question - seems udp"
• Reply: Mihai Tanasescu: "Re: Strange attack question - seems udp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Mihai Tanasescu'" <mihai@duras.ro>, <incidents@securityfocus.com>
Date: Mon, 17 Oct 2005 08:43:16 -0700

  Since the 1500 size is almost certainly an MTU, I'll guess
that those "offset" numbers are indicating that this is an
IP layer fragment; the UDP header information (including port
numbers) is at offset 0 and so is not available when examining
these fragments.

  There used to be a common brute-force DoS, often implemented
in VBasic, that went something like

  allocate buf[64K bytes]
  send to target
    repeat until killed

  In my experience, the "send to target" was usually done with
ICMP rather than UDP, but that's an implementation detail. The
point was that this punted slicing of the buffer by MTU to the
IP layer, which is what you're seeing.

  IP-layer fragmentation is a very bad idea, not least because
the fragments have inadequate header information. As you've found,
the reassembly process is rarely really robust, and can be subject
to DoS problems of its own. So when you say

> After receiving many packets like these on 3-4 interfaces,
> Cisco starts loosing packets and acts abnormal.

I'm not terribly surprised.

REMEDY: You can add an access list (or a line to your existing
access list) to block fragments. Anybody who really cares about
talking to you will either do PMTUD or set a sane MTU. These big
fragments will still try to take up your bandwidth (talk to your
ISP about blocking them upstream), but your router will be stable.

David Gillett

> -----Original Message-----
> From: Mihai Tanasescu [mailto:mihai@duras.ro]
> Sent: Thursday, October 13, 2005 11:09 AM
> To: incidents@securityfocus.com
> Subject: Strange attack question - seems udp
>
> Hello,
>
> I've been getting things like these recently:
>
> 21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840,
> flags [+],
> length: 1500) 86.104.102.16 > 70.84.247.164: udp
> 21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320,
> flags [+],
> length: 1500) 86.104.102.16 > 70.84.247.164: udp
> 21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800,
> flags [+],
> length: 1500) 86.104.102.16 > 70.84.247.164: udp
> 21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280,
> flags [+],
> length: 1500) 86.104.102.16 > 70.84.247.164: udp
> 21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760,
> flags [+],
> length: 1500) 86.104.102.16 > 70.84.247.164: udp
>
>
> I have 24 subnets inside a Cisco 3750.
>
> After receiving many packets like these on 3-4 interfaces,
> Cisco starts loosing packets and acts abnormal.
>
>
> I have gathered the output show above from a Linux machine
> with tcpdump
> which acts as a border router.
>
> What I find strange is that there is no port specified (src,dst) and
> that the length of the packets is always 1500.
>
> Is there any way to filter something like this on the Cisco switch ?
>
> Is it caused by a virus or by a human ? (I have seen it from 3-4
> different interfaces at a time and with 4-6 different destination IPs)
>
>
> Any help will be greatly appreciated.
>
>
> Sorry if I have posted this to the wrong list.
>

• Previous message: Carles Fragoso i Mariscal: "Re: Strange attack question - seems udp"
• In reply to: Mihai Tanasescu: "Strange attack question - seems udp"
• Next in thread: Mihai Tanasescu: "Re: Strange attack question - seems udp"
• Reply: Mihai Tanasescu: "Re: Strange attack question - seems udp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]