Security Incidents mailing list archives
typical DOS or something more sinister?
From: joe () ITS UNIMELB EDU AU (Joe H)
Date: Wed, 22 Mar 2000 08:48:13 +1000
check out these flows (a few of millions!): -source- -dest- -sport- -dport- -protocol- 212.187.65.86 203.5.67.63 7744 7 17 212.187.65.86 205.5.66.128 6537 7 17 212.187.65.86 205.5.66.63 29432 7 17 212.187.65.86 205.5.66.128 15793 7 17 212.187.65.86 205.5.66.191 17367 7 17 212.187.65.86 205.5.67.63 29210 7 17 212.187.65.86 205.5.67.127 351 7 17 212.187.65.86 205.5.66.127 17330 7 17 There are a few things to note 1. All are aimed at strategic points in the network (eg., broadcast addresses) 2. They are all aimed at port 7 (echo) 3. All are of proto type 17 (udp) This looks like a typical DOS. The dest. addr is spoofed and this has been happening almost every day for the last week from different remote ip addresses (except that this is the first time the ip is spoofed). At one stage two dest hosts were simultaneously doing the same as above to the same network. Q's 1. Why all of a sudden are ip's from all over the world targetting _only_ this particular network? (we have about two hundred others) 2. Why is it all port 7 only? One ip range came from domain chello.nl and filtered off. Another came from a differnet range but again the same top end domain chello.nl Is it possible that we are being used as a magnifier to launch a larger attack (DDOS maybe) on another host/network? Thanx /joe/ PS Do you need to allow port 7 (echo) traffic from outside your internal networks (ie., from internet) eg., for ping?
Current thread:
- typical DOS or something more sinister? Joe H (Mar 21)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)
- Re: typical DOS or something more sinister? Joe H (Mar 22)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)