Security Incidents mailing list archives
RE: UDP packets from Apache ? New DDOS ?
From: Matthew.Dalton () rochester edu
Date: Thu, 8 Jul 2004 13:53:42 -0400 (EDT)
Sans has a good reference for this at http://www.sans.org/resources/tcpip.pdf. -- ************************************************************************** |Matthew Dalton |Phone: (585)273-1721 | |ITS Security Group |Email: Matthew.Dalton () rochester edu | |University of Rochester | | |Rochester, NY 14620 | | ************************************************************************** On Thu, 8 Jul 2004, Strand, John wrote:
Hello all, Does any one happen to know of a reference (online or otherwise) which breaks down the possible options for each TCP/IP header field? The are quite a few general descriptions of the packet headers on the net but very few that actually break down the possible (or at least expected) hex values. Thanks for any help you can offer. -----Original Message----- From: Wouter Clarie [mailto:rimshot () pandora be] Sent: Thursday, July 08, 2004 9:56 AM To: incidents () securityfocus com Subject: RE: UDP packets from Apache ? New DDOS ? On Thu, 8 Jul 2004, Bojan Zdrnja wrote:07:40:52.116687 IP 192.168.1.106.49043 > 209.123.78.248.50567: UDP, length: 1000 0x0000: 4500 0404 0000 4000 4011 5463 c0a8 016a E.....@.@.Tc...j 0x0010: d17b 4ef8 bf93 c587 03f0 2703 4242 4242 .{N.......'.BBBB 0x0020: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB 0x0030: 4242 4242 4242 BBBBBBThis is a part of NetBIOS Name Service packet - however it is not complete (or it's malformed). You can decode it if you check headers, 0x4500 should be message ID, 0x0404 after that are flags showing it's a name query etc.I think your analysis is not correct. This dump starts at the beginning of the IP header. 0x4500 means IPv4, header length 20 bytes (5 * 4 bytes, so no IP options), TOS value 0x00. The 0x0404 is the total length of the IP packet: 1024 bytes. 0x4000 Don't Fragment Flag, no fragment offset. 0x40 is TTL of 64. 0x11 is the protocol (17d = UDP), then the header checksum and then the source IP address and destination IP address (see above). Nothing suspicious there. The UDP header that follows also looks normal. It's just the 0x42 pattern in the UDP payload, and the length of the packet that is a bit suspicious. I think this could be an old Apache worm (apache-worm.c) or something. Do you have more logs? Any idea what version of Apache and OpenSSL this machine is running? Wouter
Current thread:
- UDP packets from Apache ? New DDOS ? Dave Foster (Jul 07)
- RE: UDP packets from Apache ? New DDOS ? Bojan Zdrnja (Jul 08)
- RE: UDP packets from Apache ? New DDOS ? Wouter Clarie (Jul 08)
- RE: UDP packets from Apache ? New DDOS ? Bojan Zdrnja (Jul 09)
- RE: UDP packets from Apache ? New DDOS ? Wouter Clarie (Jul 08)
- <Possible follow-ups>
- RE: UDP packets from Apache ? New DDOS ? Strand, John (Jul 08)
- RE: UDP packets from Apache ? New DDOS ? Matthew . Dalton (Jul 08)
- Re: UDP packets from Apache ? New DDOS ? Dave Paris (Jul 09)
- RE: UDP packets from Apache ? New DDOS ? Frank Knobbe (Jul 09)
- Re: UDP packets from Apache ? New DDOS ? Will Stockwell (Jul 09)
- RE: UDP packets from Apache ? New DDOS ? Bojan Zdrnja (Jul 08)