Date: Wed, 21 Apr 2004 06:53:39 -0700 From: "Jacob S. Barrett" <jbarrett@amduat.net> To: freebsd-isp@freebsd.org Subject: Network Attack Message-ID: <200404210653.39359.jbarrett@amduat.net>
next in thread | raw e-mail | index | archive | help
I was up until the wee hours of the morning trying to decipher a tcpdump of an ongoing attack against my network. I can't seem to figure out how it is being launched. A few packets come from some host outside our network. I assume this has a spoofed source address. They hit 1 or 2 machines in our network, sometimes with just a ping, other times on the windows RPC port, and other still just random ports. This wouldn't be so bad, but then all hell breaks loose on our network. Milliseconds after these packets hit a host in our network a dozen client routers within our network start slamming that external host with "ICMP time exceeded in-transit" packets. It completely cripples sections of our network, especially our wireless trunk lines. I have been look and looking in vain at the initial incoming packets from the external host hoping to figure out how those dozen routers would even know that that host exists. The packets coming in do not appear to be targeted at a broadcast address. I can't for the life of me figure out how those routers are seeing any packets from this external host to send this ICMP message to it. Then even if they were, why are they sending thousands of them in less than a second? Has anyone seen something like this before? I am at a loss on how to procede next. Is there a list someone on the net that any of you use that I should post this question to? Is there someone on this list that has experience debuging things like this that I could share my tcpdump (under NDA)? -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404210653.39359.jbarrett>