Re: typical DOS or something more sinister?

[bugtraq () NETWORKICE COM (Robert Graham)]

This is the signature for a "fraggle" attack.

The destination addresses below are "broadcast" addresses. This is a little
surprising to some people who expect broadcasts to look like 203.5.67.255,
but it comes about because you have CIDR-style subnetting. The following
tend to be broadcasts when used with 27 bit network addresses:
x.x.x.0
x.x.x.31
x.x.x.32
x.x.x.63
x.x.x.64
x.x.x.95
x.x.x.96
x.x.x.127
x.x.x.128
x.x.x.159
x.x.x.160
x.x.x.191
x.x.x.192
etc.

For example, the address 203.5.64.63 looks like:
11001011.00000101.01000000.00111111
-----------------------------111111
Where you can see that the last bits in the address are all ones. Remembers
also that some systems consider all zeroes to be a broadcast as well (a
historical artifact we can blame on Sun).

Here is what happens with fraggle:
* you have your CIDR network
* Alice scans all the IP addresses in the range with an Echo request.
* Alice notices that some addresses return multiple responses.
* Alice posts to a smurf/fraggle registry the addresses that have returned
multiple responses.
* Bob wants to DoS somebody
* Bob goes to his favorite registry and pulls down a list of IP addresses.
* Bob then sends Echo requests to the IP addresses with the spoofed source
address of his victim.
* Charlene does the same as Bob for her victim.
* David does the same as Bob for his victim.

QED: you see random source addresses sending Echo requests to these
addresses.

In any event, the Echo service should be turned off. It is extraordinarily
evil. For example, let's say that I spoof a packet that looks like:
 -source-        -dest-       -sport-  -dport-  -protocol-
205.5.66.128    203.5.67.63     7       7        17

Now what do you think is going to happen?

If you don't mind, I'll upgrade my FAQ to include the discussion above. I do
have some limited text already at:
http://www.robertgraham.com/pubs/firewall-seen.html#port7
http://www.robertgraham.com/pubs/firewall-seen.html#fraggle

Robert Graham

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Joe H
Sent: Tuesday, March 21, 2000 2:48 PM
To: INCIDENTS () securityfocus com
Subject: typical DOS or something more sinister?

check out these flows (a few of millions!):

 -source-        -dest-       -sport-  -dport-  -protocol-
212.187.65.86   203.5.67.63     7744    7       17
212.187.65.86   205.5.66.128    6537    7       17
212.187.65.86   205.5.66.63     29432   7       17
212.187.65.86   205.5.66.128    15793   7       17
212.187.65.86   205.5.66.191    17367   7       17
212.187.65.86   205.5.67.63     29210   7       17
212.187.65.86   205.5.67.127    351     7       17
212.187.65.86   205.5.66.127    17330   7       17

There are a few things to note
1. All are aimed at strategic points in the network (eg., broadcast
addresses)
2. They are all aimed at port 7 (echo)
3. All are of proto type 17 (udp)

This looks like a typical DOS. The dest. addr is spoofed and
this has been happening almost every day for the last week
from different remote ip addresses (except that this is the
first time the ip is spoofed). At one stage two dest hosts
were simultaneously doing the same as above to the same network.

Q's
1. Why all of a sudden are ip's from all over the world targetting
_only_
   this particular network? (we have about two hundred others)
2. Why is it all port 7 only?

One ip range came from domain chello.nl and filtered off. Another came
from
a differnet range but again the same top end domain chello.nl
Is it possible that we are being used as a magnifier to launch
a larger attack (DDOS maybe) on another host/network?

Thanx
/joe/

PS  Do you need to allow port 7 (echo) traffic from outside
    your internal networks (ie., from internet) eg., for ping?