Re: typical DOS or something more sinister?

[joe () ITS UNIMELB EDU AU (Joe H)]

Robert Graham wrote:
> PS: I forgot to address the specific questions in the original query about
> fraggles.
>
> > 1. All are aimed at strategic points in the network (eg., broadcast
> > addresses)
>
> Yes. A fraggle attack can really only be aimed at broadcast addresses. That
> is the point.
>
> > The dest. addr is spoofed
>
> Um. You can spoof a destination address. You can only spoof a source
> address. Is that what you meant?

Yes, sorry for the confusion.

> > this has been happening almost every day for the last week
> > from different remote ip addresses (except that this is the
> > first time the ip is spoofed). At one stage two dest hosts
> > were simultaneously doing the same as above to the same network.
>
> I'm not sure. You do mean "source address", don't you? Also, how can you
> tell that spoofing is going on?

Yes, again "two source hosts...."
Well you can't definatively determine whether the source is a spoofed
address
Usually, if the ip address (or higher end range eg.
63.5.205.in-addr.arpa
returns proper SOA values etc) resolves then I'm inclined to think
the source is legit. (90% of the times remote admins reply with
apologetic
remarks about the actions of their users - the other 10% they don't know
what's going on). But the fact is you cant determine if spoofing is
occuring.

> > Q's
> > 1. Why all of a sudden are ip's from all over the world targetting
> > _only_
> >   this particular network? (we have about two hundred others)
>
> Because this is the only network that has been discovered by Echo scans and
> registered in a fraggle amplifier directory. In particular, registries

Do you know the whereabouts of such a registry(s)?

> usually indicate how much amplification is going on. If a broadcast address
> only responds with 2 or 3 packets then it is hardly worth fraggling.
> However, if it responds with 30, then it is a darn effective amplifier. This
> means a person with a dialup line 33-kbps can generate 1-mbps of traffic at
> a victim, even more when you consider that most modems use compression and
> most T1 lines don't.
>
> > 2. Why is it all port 7 only?
>
> Mostly because script kiddies aren't smart enough to choose different ports.
> Also, you have to find services that are running, not firewalled, and which
> will respond to broadcast queries. Port 7 echo is the most common.
>
> > Is it possible that we are being used as a magnifier to launch
> > a larger attack (DDOS maybe) on another host/network?
>
> 99% probability.

Hmmmm.

> > Do you need to allow port 7 (echo) traffic from outside
> > your internal networks (ie., from internet) eg., for ping?
>
> Are you responsible for firewalling these systems? If so, you should
> definitely block it. The "ping" program uses ICMP echoes (protocol=1,
> type=8) not UDP Echoes (protocol=17, port=7).
>
> However, the root of the problem is that you've misconfigured your routers.
> Your routers should be configured to not consider such addresses to be
> broadcasts. You need to disable "directed broadcasts" on your routers.

You mean the line "no ip directed-broadcast". This is not on any of the
router interfaces (strange - all the others do!) that control those
nets.
Thanks Rob! This has been very enlightening!

/joe/

> Rob.