TCP reset DoS with multicast MAC.

[omarg <elohssa () inwind it>]

Hi everyone,

I have with me an ethereal capture of an TCP reset DoS attack.

I've searched the Internet to find any info, but I found nothing.

Practically we get a huge amount of TCP reset packets, about 4100 packets 
per second, from port 135 to dest port 2154 from the same. All these 
packets are coming from the same src IP addr to the same dest IP addr.

The strange thing is, these are unicast packets but the destination MAC 
address is a multicast MAC address (01:00:5e:1e:79:01). May be they crafted 
the packet by using destination MAC address a multicast MAC address to 
flood dumb switches...

Here is the ethereal printout of a packet (I've censored the unicast IP addr):

Frame 4100 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Oct  8, 2003 01:11:10.525578000
    Time delta from previous packet: 0.001021000 seconds
    Time relative to first packet: 1.000548000 seconds
    Frame Number: 4100
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II, Src: 00:10:b5:9b:e3:97, Dst: 01:00:5e:1e:79:01
    Destination: 01:00:5e:1e:79:01 (01:00:5e:1e:79:01)
    Source: 00:10:b5:9b:e3:97 (AcctonTe_9b:e3:97)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src Addr: AAA.BBB.121.89 (AAA.BBB.121.89), Dst Addr: 
AAA.BBB.123.164 (AAA.BBB.123.164)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x01)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x487a (18554)
    Flags: 0x00
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 43
    Protocol: TCP (0x06)
    Header checksum: 0xd21c (correct)
    Source: AAA.BBB.121.89 (AAA.BBB.121.89)
    Destination: AAA.BBB.123.164 (AAA.BBB.123.164)
Transmission Control Protocol, Src Port: epmap (135), Dst Port: 2154 
(2154), Seq: 0, Ack: 0, Len: 0
    Source port: epmap (135)
    Destination port: 2154 (2154)
    Sequence number: 0
    Header length: 20 bytes
    Flags: 0x0004 (RST)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 0
    Checksum: 0x31b6 (correct)

Do you know what is the specific name of this attack?

Any idea will be greatly appreciated.

Thanks

ciao
omarg


---------------------------------------------------------------------------
----------------------------------------------------------------------------