Security Basics mailing list archives
RE: TCP reset DoS with multicast MAC.
From: "Dave Gilmore (Intrusense)" <dgilmore () intrusense com>
Date: Wed, 8 Oct 2003 12:14:27 -0400
Hello Omarg, Unless the packets you're capturing originated on the same subnet you're capturing data on, the MAC address you're seeing is being assigned by the routing device the packet is traversing to enter that network. You cannot craft a packet with a custom source and destination Ethernet and expect it to remain the same when it reaches the destination unless the destination is on the same subnet as the source. If not, source and destination addresses in the Ethernet header are changed with each router (HOP) it traverses along the path to it's destination. Dave Gilmore Intrusense LLC. http://www.intrusense.com -- Intrusense - Securing Business As Usual -----Original Message----- From: omarg [mailto:elohssa () inwind it] Sent: Wednesday, October 08, 2003 5:38 AM To: security-basics () securityfocus com Subject: TCP reset DoS with multicast MAC. Hi everyone, I have with me an ethereal capture of an TCP reset DoS attack. I've searched the Internet to find any info, but I found nothing. Practically we get a huge amount of TCP reset packets, about 4100 packets per second, from port 135 to dest port 2154 from the same. All these packets are coming from the same src IP addr to the same dest IP addr. The strange thing is, these are unicast packets but the destination MAC address is a multicast MAC address (01:00:5e:1e:79:01). May be they crafted the packet by using destination MAC address a multicast MAC address to flood dumb switches... Here is the ethereal printout of a packet (I've censored the unicast IP addr): Frame 4100 (60 bytes on wire, 60 bytes captured) Arrival Time: Oct 8, 2003 01:11:10.525578000 Time delta from previous packet: 0.001021000 seconds Time relative to first packet: 1.000548000 seconds Frame Number: 4100 Packet Length: 60 bytes Capture Length: 60 bytes Ethernet II, Src: 00:10:b5:9b:e3:97, Dst: 01:00:5e:1e:79:01 Destination: 01:00:5e:1e:79:01 (01:00:5e:1e:79:01) Source: 00:10:b5:9b:e3:97 (AcctonTe_9b:e3:97) Type: IP (0x0800) Trailer: 000000000000 Internet Protocol, Src Addr: AAA.BBB.121.89 (AAA.BBB.121.89), Dst Addr: AAA.BBB.123.164 (AAA.BBB.123.164) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x01) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x487a (18554) Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 43 Protocol: TCP (0x06) Header checksum: 0xd21c (correct) Source: AAA.BBB.121.89 (AAA.BBB.121.89) Destination: AAA.BBB.123.164 (AAA.BBB.123.164) Transmission Control Protocol, Src Port: epmap (135), Dst Port: 2154 (2154), Seq: 0, Ack: 0, Len: 0 Source port: epmap (135) Destination port: 2154 (2154) Sequence number: 0 Header length: 20 bytes Flags: 0x0004 (RST) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0x31b6 (correct) Do you know what is the specific name of this attack? Any idea will be greatly appreciated. Thanks ciao omarg ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- TCP reset DoS with multicast MAC. omarg (Oct 08)
- RE: TCP reset DoS with multicast MAC. Dave Gilmore (Intrusense) (Oct 08)