Network Attack

• Previous message: Scott Renna: "RE: IDS"
• Next in thread: Thomas Elliott: "Re: Network Attack"
• Reply: Thomas Elliott: "Re: Network Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-isp@freebsd.org
Date: Wed, 21 Apr 2004 06:53:39 -0700

I was up until the wee hours of the morning trying to decipher a tcpdump of an
ongoing attack against my network. I can't seem to figure out how it is
being launched. A few packets come from some host outside our network. I
assume this has a spoofed source address. They hit 1 or 2 machines in our
network, sometimes with just a ping, other times on the windows RPC port, and
other still just random ports. This wouldn't be so bad, but then all hell
breaks loose on our network. Milliseconds after these packets hit a host in
our network a dozen client routers within our network start slamming that
external host with "ICMP time exceeded in-transit" packets. It completely
cripples sections of our network, especially our wireless trunk lines. I
have been look and looking in vain at the initial incoming packets from the
external host hoping to figure out how those dozen routers would even know
that that host exists. The packets coming in do not appear to be targeted at
a broadcast address. I can't for the life of me figure out how those routers
are seeing any packets from this external host to send this ICMP message to
it. Then even if they were, why are they sending thousands of them in less
than a second?

Has anyone seen something like this before? I am at a loss on how to procede
next. Is there a list someone on the net that any of you use that I should
post this question to? Is there someone on this list that has experience
debuging things like this that I could share my tcpdump (under NDA)?

-- 
Jacob S. Barrett
jbarrett@amduat.net
www.amduat.net
"I don't suffer from insanity, I enjoy every minute of it."
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

• Previous message: Scott Renna: "RE: IDS"
• Next in thread: Thomas Elliott: "Re: Network Attack"
• Reply: Thomas Elliott: "Re: Network Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Ethernet issue: works one way but not another ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ... (freebsd-questions) Re: Update: UDP 770 Potential Worm ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ... (Incidents) Re: IDSIPS that can handle one Gig ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ... (Focus-IDS) Re: Packets from bottom of TCP/IP stack direct to application bypassing stack ... >> to my application without using the network stack. ... >> advice and pointers would be appreciated. ... > TCPDUMP is a popular network analyzing tool. ... but it can give you better control over the packets as you ... (comp.os.linux.embedded) Re: iptables and dhcp ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ... (comp.os.linux.networking)