Date: Wed, 25 Jul 2001 14:04:44 -0400 From: "Joe Mays" <jfmays@launchpad.win.net> To: <freebsd-isp@FreeBSD.ORG> Subject: Unusual DOS attack Message-ID: <011001c11534$490e6f50$d70118d8@ENGINEERING01>
next in thread | raw e-mail | index | archive | help
Last week someone launched a DOS against a site on our system that exhibited some puzzling behaviors. I wanted to ask if anyone on here has seen anything similar. Since the DOS had nothing to do with FreeBSD in particular, I apologize if this is somewhat off-topic, but this seemed like a forum where the participants might be interested, anyway. The attack was a lot like a smurf attack, but with some puzzling differences. Someone was throwing a huge amount of ICMP traffic through one of our gateway routers. This was being broadcast out to every host on the inside LAN segment of the router (the switch on the LAN segment was a Baystack 350-24T). To that extent, it looked like a smurf attack, except -- there was no system on the LAN that was reflecting traffic back, and nothing had directed broadcast turned on; also, I went to some cisco routers on the inside lan segment and turned on icmp debugging, and they showed no icmp traffic coming in through the lan interface. We asked the provider to shut off ICMP on the incoming WAN interface, and that cleared things up, but I am still puzzled as to what was going on. I should point out that we didn't discover until after the fact that there was interface on the 350-24T switch that had not been updating in MRTG for a month or so, and it was possible that whatever was reflecting ICMP was on that port, so that we didn't see the trafffic bouncing back into the switch from there, but I scanned the subnet for ports with dcmp directed broadcast turned on and couldn't find any. It is possible to that the ICMP traffic was somehow being bounced out of the switch itself, I suppose, though I couldn't find any way to do that. I am more puzzled by the fact that the ICMP traffic was not showing up in icmp debugging on cisco routers on the lan segment, even though they showed the flood of traffic coming in through the ethernet interface. Normally, smurfing is extremely obvious in icmp debugging. -- Joe Mays - Engineering Manager (502) 815-7166 Win.Net Business Internet - http://www.win.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?011001c11534$490e6f50$d70118d8>