Security Incidents mailing list archives
UDP IP Frag
From: Curley Mr Eric P <CurleyEP () NOC USMC MIL>
Date: Tue, 6 Feb 2001 08:01:18 -0500
We have been receiving Fragmented IP traffic (we think) from multiple Chinese Sources. According to the Fire Wall logs, it looks like they are querying for root servers. We had thought that it could be a possible Dos Attack considering that the fragmented UDP packet at such high volume could fill up the memory stack but we are not certain of that. Could it be a possible DOS like nestea.c? Has anybody else seen this activity? Below are some logs that we have received. Any help with this would be great. Eric ISS Logs: Protocol comes up as UDP EventDate EventName SourcePort DestinationPort SourceAddressName DestinationAddressName 7:39:50 AM IPFrag 0 0 202.108.43.152 a.b.c.d 10:27:02 AM IPFrag 0 0 202.108.43.152 a.b.c.d 11:06:22 AM IPFrag 0 0 202.108.43.151 a.b.c.d 11:07:40 AM IPFrag 0 0 202.108.43.152 a.b.c.d 1:29:45 PM IPFrag 0 0 202.108.43.152 a.b.c.d 2:01:01 PM IPFrag 0 0 202.108.43.152 a.b.c.d 4:21:29 AM IPFrag 0 0 61.136.61.67 a.b.c.d 4:28:19 AM IPFrag 0 0 61.134.9.134 a.b.c.d 4:29:10 AM IPFrag 0 0 61.155.13.3 a.b.c.d 4:36:55 AM IPFrag 0 0 202.96.96.3 a.b.c.d 4:41:17 AM IPFrag 0 0 202.101.43.222 a.b.c.d 4:44:40 AM IPFrag 0 0 61.136.61.68 a.b.c.d 4:47:17 AM IPFrag 0 0 61.136.61.67 a.b.c.d 4:53:32 AM IPFrag 0 0 202.96.96.3 a.b.c.d 4:59:16 AM IPFrag 0 0 61.140.75.4 a.b.c.d 5:10:30 AM IPFrag 0 0 61.140.75.4 a.b.c.d 5:11:16 AM IPFrag 0 0 61.134.9.134 a.b.c.d 6:29:34 AM IPFrag 0 0 202.108.43.152 a.b.c.d 7:19:13 PM IPFrag 0 0 202.96.96.3 a.b.c.d 7:56:08 PM IPFrag 0 0 61.140.75.3 a.b.c.d 7:58:27 PM IPFrag 0 0 202.101.43.222 a.b.c.d 7:59:39 PM IPFrag 0 0 61.134.9.133 a.b.c.d 8:13:09 PM IPFrag 0 0 61.155.13.3 a.b.c.d 8:20:03 PM IPFrag 0 0 61.155.13.3 a.b.c.d 8:22:01 PM IPFrag 0 0 202.101.43.222 a.b.c.d 8:29:10 PM IPFrag 0 0 61.136.61.67 a.b.c.d 8:42:26 PM IPFrag 0 0 202.101.43.223 a.b.c.d 8:49:18 PM IPFrag 0 0 61.140.75.4 a.b.c.d 8:54:49 PM IPFrag 0 0 61.136.61.68 a.b.c.d 9:12:41 PM IPFrag 0 0 61.136.61.68 a.b.c.d 9:13:28 PM IPFrag 0 0 61.134.9.134 a.b.c.d 9:35:09 PM IPFrag 0 0 61.134.9.133 a.b.c.d 9:36:59 PM IPFrag 0 0 61.134.9.134 a.b.c.d 10:36:32 PM IPFrag 0 0 61.140.75.4 a.b.c.d 10:57:57 PM IPFrag 0 0 202.108.43.152 a.b.c.d 11:00:27 PM IPFrag 0 0 202.108.43.151 a.b.c.d 11:01:53 PM IPFrag 0 0 202.101.43.223 a.b.c.d 12:02:10 PM IPFrag 0 0 202.108.43.152 a.b.c.d Fire Wall Logs grep 61.140.75.3 messages.0 Jan 30 19:58:37 mysite named[2593]: unapproved query from [61.140.75.3].16475 for "." Jan 30 20:01:57 mysite named[2593]: unapproved query from [61.140.75.3].16724 for "." Jan 30 20:18:11 mysite named[2593]: unapproved query from [61.140.75.3].17837 for "." Jan 30 22:44:46 mysite named[16204]: denied query from [61.140.75.3].35867 for "." [gate1 /var/log]$ grep 61.134.9.133 messages.0 Jan 30 19:48:41 mysite named[2593]: unapproved query from [61.134.9.133].52749 for "." Jan 30 20:02:08 mysite named[2593]: unapproved query from [61.134.9.133].54558 for "." Jan 30 21:37:38 mysite named[9462]: unapproved query from [61.134.9.133].3774 for "." Jan 30 21:43:32 mysite named[9462]: unapproved query from [61.134.9.133].4846 for "." Jan 30 21:46:53 mysite named[9462]: unapproved query from [61.134.9.133].5555 for "." [gate1 /var/log]$ grep 202.101.43.223 messages.0 Jan 30 20:42:15 mysite named[2593]: unapproved query from [202.101.43.223].59397 for "." Jan 30 20:44:56 mysite named[2593]: unapproved query from [202.101.43.223].60256 for "." Jan 30 20:46:01 mysite named[2593]: unapproved query from [202.101.43.223].60613 for "." Jan 30 23:04:12 mysite named[16204]: denied query from [202.101.43.223].38924 for "." [gate1 /var/log]$ grep 61.134.9.134 messages.0 Jan 30 04:30:48 mysite named[2593]: unapproved query from [61.134.9.134].6568 for "." Jan 30 05:13:45 mysite named[2593]: unapproved query from [61.134.9.134].10427 for "." Jan 30 21:15:57 mysite named[2593]: unapproved query from [61.134.9.134].38932 for "." Jan 30 21:39:29 mysite named[9462]: unapproved query from [61.134.9.134].42018 for "." Jan 30 23:20:24 mysite named[16204]: denied query from [61.134.9.134].53248 for "." Jan 30 23:53:07 mysite named[16204]: denied query from [61.134.9.134].55227 for "." Jan 31 00:14:26 mysite named[16204]: denied query from [61.134.9.134].56936 for "." [gate1 /var/log]$
Current thread:
- UDP IP Frag Curley Mr Eric P (Feb 06)