Date: Wed, 21 Apr 2004 19:46:23 +0100 From: "Thomas Elliott" <tom@tomelliott.net> To: <freebsd-isp@freebsd.org> Subject: Re: Network Attack Message-ID: <0a3601c427d1$6de77530$0a64640a@sharfleet.co.uk> References: <200404210653.39359.jbarrett@amduat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Jacob S. Barrett <jbarrett@amduat.net> wrote: > I was up until the wee hours of the morning trying to decipher a > tcpdump of an ongoing attack against my network. I can't seem to > figure out how it is being launched. A few packets come from some > host outside our network. I assume this has a spoofed source address. > They hit 1 or 2 machines in our network, sometimes with just a ping, > other times on the windows RPC port, and other still just random > ports. This wouldn't be so bad, but then all hell breaks loose on > our network. Milliseconds after these packets hit a host in our > network a dozen client routers within our network start slamming that > external host with "ICMP time exceeded in-transit" packets. It > completely cripples sections of our network, especially our wireless > trunk lines. I have been look and looking in vain at the initial > incoming packets from the external host hoping to figure out how > those dozen routers would even know that that host exists. The > packets coming in do not appear to be targeted at a broadcast > address. I can't for the life of me figure out how those routers are > seeing any packets from this external host to send this ICMP message > to it. Then even if they were, why are they sending thousands of > them in less than a second? Sounds familiar > Has anyone seen something like this before? I am at a loss on how to > procede next. Is there a list someone on the net that any of you use > that I should post this question to? Is there someone on this list > that has experience debuging things like this that I could share my > tcpdump (under NDA)? Let me guess - your routers are freebsd / (zebra/quagga) based? If so - ping/telnet/something, from outside your network, to either a network or broadcast address, and watch. We had this - after upgrading our zebras to 5.2.1 - we had a PR open - http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/64053 (I'm daniel's coleague) - afaik, its still ongoing, we still have those firewalls in place on those addresses. HTH -- ~T
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0a3601c427d1$6de77530$0a64640a>