Security Incidents mailing list archives
Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?)
From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Thu, 15 Feb 2001 12:56:10 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rod Longanilla writes:
I'm still watching and recording the alerts until it can be absolutely proven these particular alerts are just false positives. So if anyone has further information what can possibly be generating these, please post/reply.
I've also seen lots of these in the past 200 Ksec or so, and all of them appear to be Napster-related. A couple of features: -Only one network that I'm currently watching has Napster lusers. It is the only network seeing the ICMP traffic in question. -All of the ICMP traffic is directed at a single IP address: The address of the NAT device behind which all of the Napster lusers live. If this was some evildoer looking for compromised machines, I'd expect to see multiple IP addresses. Since none of the ICMP traffic is reaching any destop machines, it cannot be communication between an evildoer and a compromised box or boxen[0]. -There appears to be a strong correlation between the ICMP traffic and Napster sessions I've spot checked maybe a dozen of the couple thousand `hits' I've gotten recently, and it appears that in all of them the offending ICMP packet is part of the normal Napster client session setup. Interestingly, not all Napster clients appear to exhibit this behaviour (for example, I've never seen any of the internal Napster clients sending this sort of traffic). Anyone know exactly which client sends these distinctive ICMP packets? My analyst spidey sense tingles whenever I see something like this---namely distinctive behaviour in a client mirroring conventions first seen in script kiddie tools. And this is exacerbated by the fact that I've seen a bunch of bogus traffic[1] inserted into the middle of otherwise innocuous Napster sessions. I haven't seen any overt nastiness directly correlated to any of this ICMP traffic, but I'd still be quite interested to see some sort of definitive[2] statement about what's causing it. - -Steve - ----- 0 Mod the NAT device being compromised, and my audit trails say it isn't. 1 Laundry lists of TCP and IP flags set individually and in combination---i.e., stuff that looks like an OS detection scan. Not coming from demon.co.uk. 2 Read: Independently verifiable and reproducable. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6jEJoG3kIaxeRZl8RApodAJ9ym2z86fDYVXIQ7tSi3imIBiEKlQCcC9y1 +uwA+7K50QetzIukrZUD7BQ= =st8C -----END PGP SIGNATURE-----
Current thread:
- What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Andreas Östling (Feb 14)
- ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
- [no subject] Osvaldo J. Filho (Feb 16)
- Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Andreas Östling (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
- Re: What is this? Simeon Johnston (Feb 15)