From owner-freebsd-isp@FreeBSD.ORG Wed Apr 21 11:50:05 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A49216A4CE for ; Wed, 21 Apr 2004 11:50:05 -0700 (PDT) Received: from archimedes.tomelliott.net (archimedes.tomelliott.net [81.6.196.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BBC843D3F for ; Wed, 21 Apr 2004 11:50:04 -0700 (PDT) (envelope-from tom@tomelliott.net) Received: (qmail 10822 invoked by uid 85); 21 Apr 2004 18:49:57 -0000 Received: from tom@tomelliott.net by archimedes.tomelliott.net by uid 89 with qmail-scanner-1.16 Clear:SA:0(-3.6/5.0):. Processed in 15.353003 secs); 21 Apr 2004 18:49:57 -0000 X-Spam-Status: No, hits=-3.6 required=5.0 Received: from unknown (HELO europa) (postmaster@tomelliott.net@10.100.100.10) by archimedes.tomelliott.net with SMTP; 21 Apr 2004 18:49:41 -0000 Message-ID: <0a3601c427d1$6de77530$0a64640a@sharfleet.co.uk> From: "Thomas Elliott" To: References: <200404210653.39359.jbarrett@amduat.net> Date: Wed, 21 Apr 2004 19:46:23 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Network Attack X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2004 18:50:05 -0000 Jacob S. Barrett wrote: > I was up until the wee hours of the morning trying to decipher a > tcpdump of an ongoing attack against my network. I can't seem to > figure out how it is being launched. A few packets come from some > host outside our network. I assume this has a spoofed source address. > They hit 1 or 2 machines in our network, sometimes with just a ping, > other times on the windows RPC port, and other still just random > ports. This wouldn't be so bad, but then all hell breaks loose on > our network. Milliseconds after these packets hit a host in our > network a dozen client routers within our network start slamming that > external host with "ICMP time exceeded in-transit" packets. It > completely cripples sections of our network, especially our wireless > trunk lines. I have been look and looking in vain at the initial > incoming packets from the external host hoping to figure out how > those dozen routers would even know that that host exists. The > packets coming in do not appear to be targeted at a broadcast > address. I can't for the life of me figure out how those routers are > seeing any packets from this external host to send this ICMP message > to it. Then even if they were, why are they sending thousands of > them in less than a second? Sounds familiar > Has anyone seen something like this before? I am at a loss on how to > procede next. Is there a list someone on the net that any of you use > that I should post this question to? Is there someone on this list > that has experience debuging things like this that I could share my > tcpdump (under NDA)? Let me guess - your routers are freebsd / (zebra/quagga) based? If so - ping/telnet/something, from outside your network, to either a network or broadcast address, and watch. We had this - after upgrading our zebras to 5.2.1 - we had a PR open - http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/64053 (I'm daniel's coleague) - afaik, its still ongoing, we still have those firewalls in place on those addresses. HTH -- ~T