Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Trying to identify UDP DOS/Flood tool

From: Johan Augustsson <johan.augustsson () adm gu se>
Date: Fri, 11 Jan 2002 15:13:00 +0100

Recently one of our systems became target for what I believe is some
sort of DOS attack. 2536 packets with a payload of 4064 bytes was sent
in 58 seconds divided in nine (9) src/dst-ports.

A simple calculation shows that this generated about 1.7 Mbps, not so
much in our case but more then what I think is normal.

What disturbs me is that the packets are a little funny. The payload is
always 4064 bytes and just a loop of the same character. The src-port is
the same as the dst-port and the UDP len is always the same value as the
port number. The UDP len thing looks more like a mistake from the coder,
instead of doing it right it's just the same value as the portnumbers.

What I try to figure out is what caused this traffic, does anyone
recognize the pattern?



Ports used:

12593 <-> 12953
12850 <-> 12850
13107 <-> 13107
13364 <-> 13364
13878 <-> 13878
14135 <-> 14135
14392 <-> 14392
14649 <-> 14649



Excerpt from Snort-log

Pv4: 216.21.131.49 -> 130.241.*.*
hlen=5 TOS=0 dlen=9856 ID=34240 flags=0 offset=0 TTL=38 chksum=29538
UDP:  port=13878 -> dport: 13878 len=13878
Payload:  length = 4064

000 : 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36   6666666666666666
010 : 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36   6666666666666666
..................


#(1 - 2450) [2002-01-11 04:04:06] [arachNIDS/247]  MISC Large UDP Packet
IPv4: 216.21.131.49 -> 130.241.*.*
hlen=5 TOS=0 dlen=5853 ID=34353 flags=0 offset=0 TTL=38 chksum=33428
UDP:  port=14135 -> dport: 14135 len=14135
Payload:  length = 4064

000 : 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37   7777777777777777
010 : 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37   7777777777777777
..................


Johan Augustsson

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: