Network Attack

[Jacob S. Barrett]

I was up until the wee hours of the morning trying to decipher a tcpdump of an 
ongoing attack against my network.  I can't seem to figure out how it is 
being launched.  A few packets come from some host outside our network. I 
assume this has a spoofed source address.  They hit 1 or 2 machines in our 
network, sometimes with just a ping, other times on the windows RPC port, and 
other still just random ports.  This wouldn't be so bad, but then all hell 
breaks loose on our network.  Milliseconds after these packets hit a host in 
our network a dozen client routers within our network start slamming that 
external host with "ICMP time exceeded in-transit" packets.  It completely 
cripples sections of our network, especially our wireless trunk lines.  I 
have been look and looking in vain at the initial incoming packets from the 
external host hoping to figure out how those dozen routers would even know 
that that host exists.  The packets coming in do not appear to be targeted at 
a broadcast address.  I can't for the life of me figure out how those routers 
are seeing any packets from this external host to send this ICMP message to 
it.  Then even if they were, why are they sending thousands of them in less 
than a second?

Has anyone seen something like this before?  I am at a loss on how to procede 
next.  Is there a list someone on the net that any of you use that I should 
post this question to?  Is there someone on this list that has experience 
debuging things like this that I could share my tcpdump (under NDA)?

-- 
Jacob S. Barrett
jbarrett at amduat.net
www.amduat.net

"I don't suffer from insanity, I enjoy every minute of it."