Snort mailing list archives
help identifying packets from attack
From: "Ing. Daniel Manrique" <roadmr () entropia com mx>
Date: Sun, 1 Sep 2002 20:39:26 -0500 (CDT)
Hey! What a great sunday it was, my network suffered a brutal attack that left us basically disconnected for the better part of 2 hours (well, 80% packet loss meant any attempts to contact the outside world were pretty futile). the attack consisted of packets coming from a bunch of different IP addresses, all targeted at the same IP address within my network (a customer's server). Now, while the server itself managed to stay responsive, the sheer amount of packets completely saturated our puny 256k internet link and had the router's CPU working at 50% capacity (normal range is below 5%). The link's saturation continued even after I blocked traffic to the affected host at our main router; obviously, since even though the router was denying packets, they still had to travel down the link to reach the router and be denied; and the router denied close to a million packets in the last 20 minutes of the attack. Of course, during all this, before the router rules were in place, snort found some strange packets (originating from loopback reserved addresses?) and logged them. My IDS sits on the same LAN segment as the router's ethernet interface and the victimized server's main ethernet interface. They look like this (x.x.x.x stands for the targeted server's IP address, everything else is unchanged): 09/01-18:34:51.447719 0:10:7B:BA:AA:F0 -> 0:60:8:C2:31:A0 type:0x800 len:0x3C 127.56.80.150:6638 -> x.x.x.x:41260 TCP TTL:235 TOS:0x0 ID:48690 IpLen:20 DgmLen:40 DF ******S* Seq: 0x0 Ack: 0x4D52D622 Win: 0x62 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 09/01-18:34:51.523402 0:10:7B:BA:AA:F0 -> 0:60:8:C2:31:A0 type:0x800 len:0x3C 127.13.73.170:60921 -> x.x.x.x:41506 TCP TTL:235 TOS:0x0 ID:48936 IpLen:20 DgmLen:40 DF ******S* Seq: 0x0 Ack: 0x37075D9A Win: 0xB81A TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ They came from many many different addresses, and both origin and destination ports also varied wildly. Apparently they have no payload, only control information, and I'm guessing the ******S* thing means something about SYN, which makes me initially think it was a syn flood attack. However, that's as far as my analysis skills go, and they might even be wrong; and I'd really like to know more about this, so that I can, hopefully, do something to prevent it. So, I'd appreciate help interpreting these packets, identifying what kind of attack they belong to, and finding more information on how to stop/prevent/detect the situation more accurately. Snort was helpful, however apparently it had no way of knowing the packets were some sort of attack; it only logged them because it thought loopback traffic looked suspicious. Thanks in advance for any/all help! - Roadmaster ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help identifying packets from attack Ing. Daniel Manrique (Sep 01)
- Re: help identifying packets from attack Matt Kettler (Sep 02)