From owner-freebsd-isp@FreeBSD.ORG Wed Apr 21 07:52:08 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF73116A4CE for ; Wed, 21 Apr 2004 07:52:08 -0700 (PDT) Received: from bes.amduat.net (bes.amduat.net [206.124.149.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 494FD43D3F for ; Wed, 21 Apr 2004 07:52:08 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from osiris.amduat.net (osiris.amduat.net [10.0.0.69]) (AUTH: LOGIN jbarrett, SSL: TLSv1/SSLv3,128bits,RC4-MD5) by bes.amduat.net with esmtp; Wed, 21 Apr 2004 07:52:07 -0700 From: "Jacob S. Barrett" To: freebsd-isp@freebsd.org Date: Wed, 21 Apr 2004 06:53:39 -0700 User-Agent: KMail/1.6.1 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200404210653.39359.jbarrett@amduat.net> Subject: Network Attack X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2004 14:52:08 -0000 I was up until the wee hours of the morning trying to decipher a tcpdump of an ongoing attack against my network. I can't seem to figure out how it is being launched. A few packets come from some host outside our network. I assume this has a spoofed source address. They hit 1 or 2 machines in our network, sometimes with just a ping, other times on the windows RPC port, and other still just random ports. This wouldn't be so bad, but then all hell breaks loose on our network. Milliseconds after these packets hit a host in our network a dozen client routers within our network start slamming that external host with "ICMP time exceeded in-transit" packets. It completely cripples sections of our network, especially our wireless trunk lines. I have been look and looking in vain at the initial incoming packets from the external host hoping to figure out how those dozen routers would even know that that host exists. The packets coming in do not appear to be targeted at a broadcast address. I can't for the life of me figure out how those routers are seeing any packets from this external host to send this ICMP message to it. Then even if they were, why are they sending thousands of them in less than a second? Has anyone seen something like this before? I am at a loss on how to procede next. Is there a list someone on the net that any of you use that I should post this question to? Is there someone on this list that has experience debuging things like this that I could share my tcpdump (under NDA)? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it."