Security Incidents mailing list archives
Re: DDOS ?
From: M ixter <mixter () 2XS CO IL>
Date: Mon, 13 Nov 2000 14:54:56 +0200
Hi... this looks like the old, "traditional" UDP echo flood. Someone must be really bored. Note that all packets have source port 7. Most of the hosts in your log still run the echo service on that port. Anything that's sent to port 7/echo is sent back to the (supposed) originator. UDP/echo can easily be spoofed. Similar to the udp option in "papasmurf", the attacker sends a packet with: src: yourip dst: echoserver port 7, and the echoserver replies to you. Of course you have to scan for systems with echo ports open before you can launch this attack. It's a variant of udp-based smurf, but in udp smurf (using random ports) the host just sends back the icmp/3 message for "connection refused on this port", while in a spoofed echo flood the attacker can chose the size of the data packet. On Fri, 10 Nov 2000, [ K o S a K ] wrote:
Hi, Last night, i have been under a UDP Flood attack during 1 hour. I couldn't access the internet when i was under attack. My little firewall ( conseal on win98 ) has generate 6Mo of log file. There where at least 30 different IP source. ( perhaps spoofed packet ) First i thought about a broadcast attack, but the attack is with UDP proto, so perhaps a DDOS... Can someone tell me more about DDOS or tools that can make such an UDP flood? Here is a sample of the attack : 2000/11/10 00:42:28 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=208.220.149.154, dst=213.245.XXX.XXX, sport=7, dport=30270. 2000/11/10 00:42:28 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=208.220.149.154, dst=213.245.XXX.XXX, sport=7, dport=57494. 2000/11/10 00:42:28 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=216.166.17.71, dst=213.245.XXX.XXX, sport=7, dport=793. 2000/11/10 00:42:28 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=168.223.90.6, dst=213.245.XXX.XXX, sport=7, dport=7050. 2000/11/10 00:42:28 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=168.223.26.180, dst=213.245.XXX.XXX, sport=7, dport=7050. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=208.220.149.154, dst=213.245.XXX.XXX, sport=7, dport=58512. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=202.103.11.44, dst=213.245.XXX.XXX, sport=7, dport=19090. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=206.171.190.83, dst=213.245.XXX.XXX, sport=7, dport=7244. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=208.220.149.154, dst=213.245.XXX.XXX, sport=7, dport=58512. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=207.89.154.209, dst=213.245.XXX.XXX, sport=7, dport=53695. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=207.89.154.209, dst=213.245.XXX.XXX, sport=7, dport=53695. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=216.166.17.71, dst=213.245.XXX.XXX, sport=7, dport=60931. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=207.254.39.132, dst=213.245.XXX.XXX, sport=7, dport=14876. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=208.220.149.154, dst=213.245.XXX.XXX, sport=7, dport=58512. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=210.228.2.6, dst=213.245.XXX.XXX, sport=7, dport=9150. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=206.171.190.83, dst=213.245.XXX.XXX, sport=7, dport=17074. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=210.228.2.6, dst=213.245.XXX.XXX, sport=7, dport=9150. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=210.251.128.126, dst=213.245.XXX.XXX, sport=7, dport=6547. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=207.89.154.209, dst=213.245.XXX.XXX sport=7, dport=53695. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=206.171.190.83, dst=213.245.XXX.XXX, sport=7, dport=17074. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=207.71.3.97, dst=213.245.XXX.XXX, sport=7, dport=46310. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=0.0.0.0, dst=213.245.XXX.XXX, sport=7, dport=5275. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=207.98.146.178, dst=213.245.XXX.XXX, sport=7, dport=14876. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=205.210.84.1, dst=213.245.XXX.XXX, sport=7, dport=40935. 2000/11/10 00:42:29 GMT +0100: Carte D-Link DE22..[0001][No matching rule] Blocking incoming UDP: src=206.171.190.83, dst=213.245.XXX.XXX, sport=7, dport=7244. ..... ..... Thanks for you help. KoSaK
--------------------------------------------------------------------- Mixter <mixter () 2xs co il>, Senior Security Engineer, 2XS LTD. http://www.2xss.com - Taking full disclosure security to a new level. ---------------------------------------------------------------------
Current thread:
- Re: DDOS ? M ixter (Nov 14)