From owner-freebsd-security  Mon May 17 16:48:34 1999
Delivered-To: freebsd-security@freebsd.org
Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247])
	by hub.freebsd.org (Postfix) with ESMTP id B01B61540E
	for <freebsd-security@FreeBSD.ORG>; Mon, 17 May 1999 16:48:30 -0700 (PDT)
	(envelope-from kkennawa@physics.adelaide.edu.au)
Received: from bragg (bragg [129.127.36.34])
	by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA29928;
	Tue, 18 May 1999 09:18:29 +0930 (CST)
Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM)
	id AA28585; Tue, 18 May 1999 09:19:19 +0930
Date: Tue, 18 May 1999 09:19:18 +0930 (CST)
From: Kris Kennaway <kkennawa@physics.adelaide.edu.au>
X-Sender: kkennawa@bragg
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	freebsd-security@FreeBSD.ORG
Subject: Re: Interesting Attack
In-Reply-To: <xzpr9ofqsk1.fsf@localhost.ping.uio.no>
Message-Id: <Pine.OSF.4.10.9905180915360.6232-100000@bragg>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 17 May 1999, Dag-Erling Smorgrav wrote:

> Cy Schubert <cschuber@uumail.gov.bc.ca> writes:
> > I'm seeing a number of packets from sites around the Internet to 
> > port 1096.  What service lives on port 1096?  Has anyone seen this 
> > before?
> 
> None. I think somebody's trying to bounce packets off your machine to
> another box by spoofing the source address, *or* somebody has been
> sending spoofed packets with your IP as source address to some other
> boxen.
> 
> Look at the source ports: 23 (telnet), 139 (NetBIOS), 6667 (IRC)... I
> checked the IP addresses which appear with port 6667, and they're all
> IRC servers. You wouldn't expect connections to *originate* from port
> 6667 on these boxen; I think somebody sent them SYN packets made up to
> look as if they came from you, and they replied.
> 
> In any case, I don't think you're the target; you're just an innocent
> passer-by which they picked to pin the blame on (from the POV of the
> target sites, it looks as if *you* ran a port scan on them - or would
> if your firewall hadn't dropped those packets).

I was getting hundreds of similar packets per day here a few weeks ago, almost
all from different sites, all from spoofed source addresses, to a nonexistent
IP address and on an unobtrusive port number (1584) but the common thread was
that all of the source hosts were running an IRC daemon. I never did find out
conclusively what it was, but my guess is that someone was using my source
address to spoof packets from, and I was seeing reverse probes by the IRC
server.

It all stopped when I turned on IP unreachables on my firewall..

Kris

-----
"That suit's sharper than a page of Oscar Wilde witticisms that's been
rolled up into a point, sprinkled with lemon juice and jabbed into
someone's eye"
"Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message