Security Incidents mailing list archives
Re: typical DOS or something more sinister?
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 22 Mar 2000 11:55:08 -0800
This is the signature for a "fraggle" attack. The destination addresses below are "broadcast" addresses. This is a little surprising to some people who expect broadcasts to look like 203.5.67.255, but it comes about because you have CIDR-style subnetting. The following tend to be broadcasts when used with 27 bit network addresses: x.x.x.0 x.x.x.31 x.x.x.32 x.x.x.63 x.x.x.64 x.x.x.95 x.x.x.96 x.x.x.127 x.x.x.128 x.x.x.159 x.x.x.160 x.x.x.191 x.x.x.192 etc. For example, the address 203.5.64.63 looks like: 11001011.00000101.01000000.00111111 -----------------------------111111 Where you can see that the last bits in the address are all ones. Remembers also that some systems consider all zeroes to be a broadcast as well (a historical artifact we can blame on Sun). Here is what happens with fraggle: * you have your CIDR network * Alice scans all the IP addresses in the range with an Echo request. * Alice notices that some addresses return multiple responses. * Alice posts to a smurf/fraggle registry the addresses that have returned multiple responses. * Bob wants to DoS somebody * Bob goes to his favorite registry and pulls down a list of IP addresses. * Bob then sends Echo requests to the IP addresses with the spoofed source address of his victim. * Charlene does the same as Bob for her victim. * David does the same as Bob for his victim. QED: you see random source addresses sending Echo requests to these addresses. In any event, the Echo service should be turned off. It is extraordinarily evil. For example, let's say that I spoof a packet that looks like: -source- -dest- -sport- -dport- -protocol- 205.5.66.128 203.5.67.63 7 7 17 Now what do you think is going to happen? If you don't mind, I'll upgrade my FAQ to include the discussion above. I do have some limited text already at: http://www.robertgraham.com/pubs/firewall-seen.html#port7 http://www.robertgraham.com/pubs/firewall-seen.html#fraggle Robert Graham -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Joe H Sent: Tuesday, March 21, 2000 2:48 PM To: INCIDENTS () securityfocus com Subject: typical DOS or something more sinister? check out these flows (a few of millions!): -source- -dest- -sport- -dport- -protocol- 212.187.65.86 203.5.67.63 7744 7 17 212.187.65.86 205.5.66.128 6537 7 17 212.187.65.86 205.5.66.63 29432 7 17 212.187.65.86 205.5.66.128 15793 7 17 212.187.65.86 205.5.66.191 17367 7 17 212.187.65.86 205.5.67.63 29210 7 17 212.187.65.86 205.5.67.127 351 7 17 212.187.65.86 205.5.66.127 17330 7 17 There are a few things to note 1. All are aimed at strategic points in the network (eg., broadcast addresses) 2. They are all aimed at port 7 (echo) 3. All are of proto type 17 (udp) This looks like a typical DOS. The dest. addr is spoofed and this has been happening almost every day for the last week from different remote ip addresses (except that this is the first time the ip is spoofed). At one stage two dest hosts were simultaneously doing the same as above to the same network. Q's 1. Why all of a sudden are ip's from all over the world targetting _only_ this particular network? (we have about two hundred others) 2. Why is it all port 7 only? One ip range came from domain chello.nl and filtered off. Another came from a differnet range but again the same top end domain chello.nl Is it possible that we are being used as a magnifier to launch a larger attack (DDOS maybe) on another host/network? Thanx /joe/ PS Do you need to allow port 7 (echo) traffic from outside your internal networks (ie., from internet) eg., for ping?
Current thread:
- typical DOS or something more sinister? Joe H (Mar 21)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)
- Re: typical DOS or something more sinister? Joe H (Mar 22)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)
- Re: typical DOS or something more sinister? Robert Graham (Mar 22)