From owner-freebsd-security Thu Aug 2 15:11:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 2068037B401 for ; Thu, 2 Aug 2001 15:11:12 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 776921C67; Thu, 2 Aug 2001 23:48:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 563375482; Thu, 2 Aug 2001 23:48:40 +0200 (CEST) Date: Thu, 2 Aug 2001 23:48:39 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Vlad Cc: freebsd-security@FreeBSD.ORG Subject: Re: weird packets.. anyone? In-Reply-To: <20010802164110.A64693@tmd.df.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 2 Aug 2001, Vlad wrote: > I've got this today in my logs: > > Aug 2 12:51:32 tmd ipmon[35772]: 12:51:31.270526 ed0 @0:5 b 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 IN > Aug 2 12:57:54 tmd ipmon[35772]: 12:52:34.606148 3x ed0 @0:5 b 169.254.179.233,137 -> 169.254.255.255,137 PR udp len > 20 96 > > and connection to 138. > > each of connection was followed by the following entries in the log: > > Aug 2 13:33:39 tmd /kernel: Connection attempt to UDP 24.43.202.10:1931 from 24.2.9.35:53 I had almost the same signature today. Weird packets attempted to leave the internal network having spoofed IP source address but were dropped by the firewall, so no DNS-related traffic was triggered. Anyhow my logs show: first series of 0.0.0.0,68 -> 255.255.255.255,67 PR udp len 20 328 (looks like BOOTP) then 169.254.65.154,138 -> 169.254.255.255,138 PR udp len 20 205 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 alternating, then a long series of 169.254.65.154,137 -> 169.254.255.255,137 PR udp len 20 78 (please note same subnet numbers as in the letter above!) once immediately after BOOTP-like packets I got: 169.254.65.154 -> 224.0.0.2 PR icmp len 20 28 icmp 10/0 (multicast ?!) First series at 11:41 - 11:43 c.e.t., BOOTP queries repeated 11:46 - 13:29, second series at 13:31, third at 13:35. That looks like a DDOS attempt but I don't like two things: 1 - too few packets to 169.254.255.255 2 - I don't know what could have triggered it since no traffic is allowed inside the network (statefull firewalling). 169.254.0.0 is assigned to IANA according to ARIN WHOIS. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message