Re: Strange attack question - seems udp

From: Mihai Tanasescu (mihai_at_duras.ro)
Date: 10/19/05

  • Next message: steven_at_lovebug.org: "Dismantling Botnets?" 
    Date: Wed, 19 Oct 2005 05:14:03 +0300
To: gillettdavid@fhda.edu

    Hello,

    Thanks to all of you who answered and explained to me the possible
    causes and solutions.

    Unfortunately I haven't been able to test them all as whatever was
    causing me problems has suddenly stopped; it's better to be prepared
    next time it happens.

    I'll try to filter out fragments on the Cisco to see what happens.

    David Gillett wrote:

    > Since the 1500 size is almost certainly an MTU, I'll guess
    >that those "offset" numbers are indicating that this is an
    >IP layer fragment; the UDP header information (including port
    >numbers) is at offset 0 and so is not available when examining
    >these fragments.
    >
    > There used to be a common brute-force DoS, often implemented
    >in VBasic, that went something like
    >
    > allocate buf[64K bytes]
    > send to target
    > repeat until killed
    >
    > In my experience, the "send to target" was usually done with
    >ICMP rather than UDP, but that's an implementation detail. The
    >point was that this punted slicing of the buffer by MTU to the
    >IP layer, which is what you're seeing.
    >
    > IP-layer fragmentation is a very bad idea, not least because
    >the fragments have inadequate header information. As you've found,
    >the reassembly process is rarely really robust, and can be subject
    >to DoS problems of its own. So when you say
    >
    >
    >
    >>After receiving many packets like these on 3-4 interfaces,
    >>Cisco starts loosing packets and acts abnormal.
    >>
    >>
    >
    >I'm not terribly surprised.
    >
    >REMEDY: You can add an access list (or a line to your existing
    >access list) to block fragments. Anybody who really cares about
    >talking to you will either do PMTUD or set a sane MTU. These big
    >fragments will still try to take up your bandwidth (talk to your
    >ISP about blocking them upstream), but your router will be stable.
    >
    >David Gillett
    >
    >
    >
    >
    >
    >
    >>-----Original Message-----
    >>From: Mihai Tanasescu [mailto:mihai@duras.ro]
    >>Sent: Thursday, October 13, 2005 11:09 AM
    >>To: incidents@securityfocus.com
    >>Subject: Strange attack question - seems udp
    >>
    >>Hello,
    >>
    >>I've been getting things like these recently:
    >>
    >>21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840,
    >>flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320,
    >>flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800,
    >>flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280,
    >>flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760,
    >>flags [+],
    >>length: 1500) 86.104.102.16 > 70.84.247.164: udp
    >>
    >>
    >>I have 24 subnets inside a Cisco 3750.
    >>
    >>After receiving many packets like these on 3-4 interfaces,
    >>Cisco starts loosing packets and acts abnormal.
    >>
    >>
    >>I have gathered the output show above from a Linux machine
    >>with tcpdump
    >>which acts as a border router.
    >>
    >>What I find strange is that there is no port specified (src,dst) and
    >>that the length of the packets is always 1500.
    >>
    >>Is there any way to filter something like this on the Cisco switch ?
    >>
    >>Is it caused by a virus or by a human ? (I have seen it from 3-4
    >>different interfaces at a time and with 4-6 different destination IPs)
    >>
    >>
    >>Any help will be greatly appreciated.
    >>
    >>
    >>Sorry if I have posted this to the wrong list.
    >>
    >>
    >>
    >
    >
    >

  • Next message: steven_at_lovebug.org: "Dismantling Botnets?"
    • Quantcast