Firewall Wizards mailing list archives
Re: Spoofed SMTP _outbound_
From: ant () notatla demon co uk (Antonomasia)
Date: Thu, 17 Jan 2002 21:21:18 +0000 (GMT)
From: "Jay Epperson" <jepperso () mail vak12ed edu>
We're seeing source-spoofed traffic outbound from one of our segments to the SMTP port on a variety of outside addresses. The denials are like: denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets (not the real network numbers) Where the source address cycles through all addresses on the IP segment (1-254) and the destination stays fixed through such a run. Since the majority of the source addresses don't actually exist on our network, it smells like part of a DOS, or a one-way vulnerability attack intended to open up access to the target from somewhere besides here.
If it's really trying to open a hole in the style of reverse telnet doesn't it need either an accurate source address or a promiscuous interface ? I'd consider looking for a promiscuous interface as well as using a sniffer to lead back to the suspects. Eventually unplugging a box may sort it out but if the activity is intermittent it could be slow going. You could divert the outgoing traffic to a machine of your own to watch what it does. If it's simple-minded enough you might learn some strings to search for in all your binaries, and to publish.
Still working to capture enough information to identify the actual source platform, but if anyone can tell us what kind of animal we might be tracking, it could help. Boxes on the segment are all either Linux (new), HP-UX (mature), or AIX (ancient).
Arkin's passive traffic identification might help here. Different TTLs and source ports on traffic from different OSs etc. But when you know this traffic is spoofed it's hard to rely on what you see there. -- ############################################################## # Antonomasia ant notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ############################################################## _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Spoofed SMTP _outbound_ Jay Epperson (Jan 16)
- <Possible follow-ups>
- RE: Spoofed SMTP _outbound_ Karl Vogel (Jan 17)
- Re: Spoofed SMTP _outbound_ Antonomasia (Jan 18)
- Re: Spoofed SMTP _outbound_ epperson (Jan 23)