Network Attack
Thomas Elliott
tom at tomelliott.net
Wed Apr 21 11:50:05 PDT 2004
Jacob S. Barrett <jbarrett at amduat.net> wrote:
> I was up until the wee hours of the morning trying to decipher a
> tcpdump of an ongoing attack against my network. I can't seem to
> figure out how it is being launched. A few packets come from some
> host outside our network. I assume this has a spoofed source address.
> They hit 1 or 2 machines in our network, sometimes with just a ping,
> other times on the windows RPC port, and other still just random
> ports. This wouldn't be so bad, but then all hell breaks loose on
> our network. Milliseconds after these packets hit a host in our
> network a dozen client routers within our network start slamming that
> external host with "ICMP time exceeded in-transit" packets. It
> completely cripples sections of our network, especially our wireless
> trunk lines. I have been look and looking in vain at the initial
> incoming packets from the external host hoping to figure out how
> those dozen routers would even know that that host exists. The
> packets coming in do not appear to be targeted at a broadcast
> address. I can't for the life of me figure out how those routers are
> seeing any packets from this external host to send this ICMP message
> to it. Then even if they were, why are they sending thousands of
> them in less than a second?
Sounds familiar
> Has anyone seen something like this before? I am at a loss on how to
> procede next. Is there a list someone on the net that any of you use
> that I should post this question to? Is there someone on this list
> that has experience debuging things like this that I could share my
> tcpdump (under NDA)?
Let me guess - your routers are freebsd / (zebra/quagga) based?
If so - ping/telnet/something, from outside your network, to either a
network or broadcast address, and watch.
We had this - after upgrading our zebras to 5.2.1 - we had a PR open -
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/64053 (I'm daniel's
coleague) - afaik, its still ongoing, we still have those firewalls in place
on those addresses.
HTH
--
~T
More information about the freebsd-isp
mailing list