Re: Strange attack question - seems udp

From: Mihai Tanasescu (mihai_at_duras.ro)
Date: 10/18/05

  • Next message: Mihai Tanasescu: "Re: Strange attack question - seems udp" 
    Date: Tue, 18 Oct 2005 14:21:05 +0300
To: Carles Fragoso i Mariscal <cfragoso@cesca.es>

    Hello,

    Thanks for explainning the reason for udp ports not appearing in the
    tcpdump output.
    Well the Cisco 3750 is the gateway for my clients and not the
    destination host (so I can't figure why it starts choking)

    The source IP addresses belong to my clients (those with 86.104 ).

    And it usually happens like this:
    3/4 ip addresses that belong to my clients contact the same 4-5 ip
    addresses like the one below (70.84.247.164) and start doing 98% only
    upload udp traffic.

    Is it possibly for a service to do so much upload compared to download ?

    Carles Fragoso i Mariscal wrote:

    >Hi Mihai,
    >
    >Mihai Tanasescu wrote:
    >
    >
    >>21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>
    >>After receiving many packets like these on 3-4 interfaces, Cisco starts
    >>loosing packets and acts abnormal.
    >>
    >>What I find strange is that there is no port specified (src,dst) and
    >>that the length of the packets is always 1500.
    >>
    >>
    >
    >It seems to be fragmented traffic. Because the original IP packet
    >payload is splitted into pieces, layer-4 header (TCP, UDP) is only
    >included on the first packet. That's the reason you can't see the ports
    >on IP packets where offset is different than 0.
    >
    >Does the destination IP belong to the router/multilayer switch?
    >Reassembling is done on destination host so fragments should only have
    >impact on router/switch if it is acting as end host. That could be a
    >reason of poor performance.
    >
    >---------------------------------------------------------------------
    >Carlos Fragoso Mariscal - Network & Security Engineer/Incident Handler
    >Anella Cientifica RREN Incident Response Team (ERIAC) AS13041 CFM1-RIPE
    >Communications and Operations Dept.-Supercomputing Center of Catalonia
    > CCNA CCNP* GSEC GCFW GCIH GREM GHTQ SSP-MPA
    >cfragoso@cesca.es phone:+34932056464 pgp:0x0E4EDE07 inocdba:13041*CFM
    >---------------------------------------------------------------------
    >
    >
    >

  • Next message: Mihai Tanasescu: "Re: Strange attack question - seems udp"
    • Quantcast