Re: Network Attack
From: Thomas Elliott (tom_at_tomelliott.net)
Date: 04/21/04
- Previous message: Edward Shabotinsky: "Re: Billing/Customer administration software"
- In reply to: Jacob S. Barrett: "Network Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: <freebsd-isp@freebsd.org> Date: Wed, 21 Apr 2004 19:46:23 +0100
Jacob S. Barrett <jbarrett@amduat.net> wrote:
> I was up until the wee hours of the morning trying to decipher a
> tcpdump of an ongoing attack against my network. I can't seem to
> figure out how it is being launched. A few packets come from some
> host outside our network. I assume this has a spoofed source address.
> They hit 1 or 2 machines in our network, sometimes with just a ping,
> other times on the windows RPC port, and other still just random
> ports. This wouldn't be so bad, but then all hell breaks loose on
> our network. Milliseconds after these packets hit a host in our
> network a dozen client routers within our network start slamming that
> external host with "ICMP time exceeded in-transit" packets. It
> completely cripples sections of our network, especially our wireless
> trunk lines. I have been look and looking in vain at the initial
> incoming packets from the external host hoping to figure out how
> those dozen routers would even know that that host exists. The
> packets coming in do not appear to be targeted at a broadcast
> address. I can't for the life of me figure out how those routers are
> seeing any packets from this external host to send this ICMP message
> to it. Then even if they were, why are they sending thousands of
> them in less than a second?
Sounds familiar
> Has anyone seen something like this before? I am at a loss on how to
> procede next. Is there a list someone on the net that any of you use
> that I should post this question to? Is there someone on this list
> that has experience debuging things like this that I could share my
> tcpdump (under NDA)?
Let me guess - your routers are freebsd / (zebra/quagga) based?
If so - ping/telnet/something, from outside your network, to either a
network or broadcast address, and watch.
We had this - after upgrading our zebras to 5.2.1 - we had a PR open -
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/64053 (I'm daniel's
coleague) - afaik, its still ongoing, we still have those firewalls in place
on those addresses.
HTH
-- ~T _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Edward Shabotinsky: "Re: Billing/Customer administration software"
- In reply to: Jacob S. Barrett: "Network Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
