From owner-freebsd-security Wed Dec 8 16:23:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12]) by hub.freebsd.org (Postfix) with SMTP id 9C06315265 for ; Wed, 8 Dec 1999 16:23:21 -0800 (PST) (envelope-from freebsd@deepwell.com) Received: (qmail 18046 invoked from network); 9 Dec 1999 01:15:08 -0000 Received: from proxy.dcomm.net (HELO terry) (209.63.175.10) by deepwell.com with SMTP; 9 Dec 1999 01:15:08 -0000 Message-Id: <4.2.0.58.19991208161404.00cf2210@mail1.dcomm.net> X-Sender: freebsd@mail.deepwell.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 08 Dec 1999 16:23:17 -0800 To: "Scott I. Remick" , freebsd-security@freebsd.org From: Deepwell Internet Subject: Re: What kind of attack is this? In-Reply-To: <4.2.2.19991208172247.00aa6b40@mail.computeralt.com> References: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Our shell server was a victim to this a while back. One day when I got in to the office the phones were ringing of the hook while support staff ran around like Chihuahuas. I got calls all morning from people asking why we were scanning their network. As far as I could tell someone was spoofing ICMP echo requests from random machines and the shell server was happily answering them. The admins of the random ping returns were seeing it as a port scan or some intrusion tool. It didn't have our T-3 pegged, but it probably had the attackers bandwidth pegged as it. When we looked at our MRTG graphs they had a nice plateau at 2mb and stayed there. That was the day the shell server went away. I've never found the DoS tool that generated this, but ICMP attack tools are a dime a dozen. Also, more recently we saw a DoS attack similar to a smurf attack. It appears that someone was spoofing the address of one of our web servers and sending SNMP tree requests to the broadcast addresses of random networks. One admin I talked to said he would see a single SNMP request come in from us (spoofed, I'm guessing) and then all their HP printers with Jet direct cards would go nuts spewing their entire MIB data back. That's much nastier than a smurf attack! Has anyone heard of this before? -Terry >Well, I'm next to positive that the source addresses are spoofed. There's >just no rhyme nor reason to them, and they seem to come from all over >creation. As it has stopped for now, I can't really observe anything new, >but that was my recollection. > >I have a good relationship with the techs at our ISP so I know they'd be >cooperative. I don't know how it'd go from there. I'd really like to >call this attack by name if it has one, so we're all on the same page, and >I can do more research on it. >----------------------- >Scott I. Remick scott@computeralt.com >Network and Information (802)388-7545 ext. 236 >Systems Manager FAX:(802)388-3697 >Computer Alternatives, Inc. http://www.computeralt.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message