RE: TCP reset DoS with multicast MAC.

["Dave Gilmore (Intrusense)" <dgilmore () intrusense com>]

Hello Omarg,

Unless the packets you're capturing originated on the same subnet you're
capturing data on, the MAC address you're seeing is being assigned by
the routing device the packet is traversing to enter that network. 

You cannot craft a packet with a custom source and destination Ethernet
and expect it to remain the same when it reaches the destination unless
the destination is on the same subnet as the source. If not, source and
destination addresses in the Ethernet header are changed with each
router (HOP) it traverses along the path to it's destination. 

Dave Gilmore
Intrusense LLC.
http://www.intrusense.com

--
Intrusense - Securing Business As Usual



-----Original Message-----
From: omarg [mailto:elohssa () inwind it] 
Sent: Wednesday, October 08, 2003 5:38 AM
To: security-basics () securityfocus com
Subject: TCP reset DoS with multicast MAC.


Hi everyone,

I have with me an ethereal capture of an TCP reset DoS attack.

I've searched the Internet to find any info, but I found nothing.

Practically we get a huge amount of TCP reset packets, about 4100
packets 
per second, from port 135 to dest port 2154 from the same. All these 
packets are coming from the same src IP addr to the same dest IP addr.

The strange thing is, these are unicast packets but the destination MAC 
address is a multicast MAC address (01:00:5e:1e:79:01). May be they
crafted 
the packet by using destination MAC address a multicast MAC address to 
flood dumb switches...

Here is the ethereal printout of a packet (I've censored the unicast IP
addr):

Frame 4100 (60 bytes on wire, 60 bytes captured)
     Arrival Time: Oct  8, 2003 01:11:10.525578000
     Time delta from previous packet: 0.001021000 seconds
     Time relative to first packet: 1.000548000 seconds
     Frame Number: 4100
     Packet Length: 60 bytes
     Capture Length: 60 bytes
Ethernet II, Src: 00:10:b5:9b:e3:97, Dst: 01:00:5e:1e:79:01
     Destination: 01:00:5e:1e:79:01 (01:00:5e:1e:79:01)
     Source: 00:10:b5:9b:e3:97 (AcctonTe_9b:e3:97)
     Type: IP (0x0800)
     Trailer: 000000000000
Internet Protocol, Src Addr: AAA.BBB.121.89 (AAA.BBB.121.89), Dst Addr: 
AAA.BBB.123.164 (AAA.BBB.123.164)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x01)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 40
     Identification: 0x487a (18554)
     Flags: 0x00
         .0.. = Don't fragment: Not set
         ..0. = More fragments: Not set
     Fragment offset: 0
     Time to live: 43
     Protocol: TCP (0x06)
     Header checksum: 0xd21c (correct)
     Source: AAA.BBB.121.89 (AAA.BBB.121.89)
     Destination: AAA.BBB.123.164 (AAA.BBB.123.164) Transmission Control
Protocol, Src Port: epmap (135), Dst Port: 2154 
(2154), Seq: 0, Ack: 0, Len: 0
     Source port: epmap (135)
     Destination port: 2154 (2154)
     Sequence number: 0
     Header length: 20 bytes
     Flags: 0x0004 (RST)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...0 .... = Acknowledgment: Not set
         .... 0... = Push: Not set
         .... .1.. = Reset: Set
         .... ..0. = Syn: Not set
         .... ...0 = Fin: Not set
     Window size: 0
     Checksum: 0x31b6 (correct)

Do you know what is the specific name of this attack?

Any idea will be greatly appreciated.

Thanks

ciao
omarg


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------