|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Attack/DoS
Thanks for all of your responses... but 1) I don't really need the consultants replys saying that you will fix my problems for $100/hour. 2) This isn't the BIND 8.x.x problem for getting root. For this reason : interface Loopback10 ip address 209.115.17.65 255.255.255.224 ip access-group 113 out Its rather difficult to get BIND to run on a Cisco 7507, although some people probably have tried to get it to work. We are viewing this from a cisco router with an access-list that basically looks like this : access-list 113 permit ip any any log Example of the udp port 0 attack : list 113 permitted udp 38.9.202.2(0) -> 209.115.17.67(0), 1 packet list 113 permitted udp 194.66.96.2(0) -> 209.115.17.67(0), 1 packet list 113 permitted udp 199.191.128.106(0) -> 209.115.17.67(0), 1 packet list 113 permitted udp 194.62.44.10(0) -> 209.115.17.66(0), 1 packet Example of the DNS (53) attack : list 113 permitted udp 207.150.3.11(53) -> 209.115.17.66(53), 121 packets list 113 permitted udp 203.77.1.1(53) -> 209.115.17.67(53), 1 packet list 113 permitted udp 194.62.44.10(53) -> 209.115.17.67(53), 2 packets list 113 permitted udp 194.66.96.2(53) -> 209.115.17.67(53), 91 packets An interesting thing to note is who ever programed this attack used the same IP addresses in a round robin type fashion for both (or maybe it is just selectable in the DoS, who knows). Todd R. Stroup Fiber Network Solutions, Inc. > From: Todd R. Stroup [mailto:[email protected]] > Sent: Wednesday, June 03, 1998 3:53 PM > To: [email protected] > Subject: Attack/DoS > > Don't know if it is just me. But over the last 10 hours we have been > seeing attacks on port 0 from port 0 (both tcp and udp) on several clients > networks. I have also seen the same attack on port udp 53(DNS). > > Anyone have any information on this? > > > Todd R. Stroup > Fiber Network Solutions, Inc. > > > > ---------- Forwarded message ---------- > > Date: Mon, 1 Jun 1998 21:58:17 -0500 > > From: "J.A. Terranson" <[email protected]> > > To: [email protected] > > Subject: (Admittedly Premature) Exploit (?) Warning. > > > > While I realize that this issue may not yet be "ripe", as I the folks involved > > (myself and at least three other sites) have not yet firmly established just > > *exactly* what is going on here, but... > > > > There appears to be some kind of exploit making the rounds that utilizes > > TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143. These > > packet traces are right now available only as historical log entries that are > > *loosely* associated with 2 successful "root" attacks against IMAP enabled > > servers, an unsuccessful attack against another (ours), and the possible > > compromise of another. > > > > In short, I dont know a lot, other than in the course of reviewing my > > daily logs, I saw a couple of freaky packets (above) addressed to my > > nameservers (both of them). They were rejected and logged at the routers, > > however, as a common courtesy, we notified the admin of the "sending" > > machine that they had a sick box. As it developed, this person had > > recieved other emails regarding this from other admins, 2 of which had > > suffered the successful attacks mentioned above - all of us seeing the > > originating machine as the same box. It is unknown if the source address was spoofed. > > > > Basically, I think this is just a "common-cause" warning to look out > > for weird packets of this nature, and to take notice if you see any. > > > > Rather than keep a running blow-by-blow going on the various lists, > > please address anything regarding this to me directly... > > > > Thanks > > J.A. Terranson > > [email protected] > > > > > > >
|