Security Incidents mailing list archives

Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?)

From: "Stephen P. Berry" <spb () MESHUGGENEH NET>
Date: Thu, 15 Feb 2001 12:56:10 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Rod Longanilla writes:

I'm still watching and recording the alerts until it can be absolutely
proven these particular alerts are just false positives.  So if anyone has
further information what can possibly be generating these, please
post/reply.


I've also seen lots of these in the past 200 Ksec or so, and all of
them appear to be Napster-related.  A couple of features:

        -Only one network that I'm currently watching has Napster
         lusers.  It is the only network seeing the ICMP traffic in
         question.

        -All of the ICMP traffic is directed at a single IP address:
         The address of the NAT device behind which all of the Napster
         lusers live.

                If this was some evildoer looking for compromised machines,
                I'd expect to see multiple IP addresses.
                Since none of the ICMP traffic is reaching any destop
                machines, it cannot be communication between an evildoer
                and a compromised box or boxen[0].

        -There appears to be a strong correlation between the ICMP
         traffic and Napster sessions

                I've spot checked maybe a dozen of the couple thousand
                `hits' I've gotten recently, and it appears that in
                all of them the offending ICMP packet is part of
                the normal Napster client session setup.
                

Interestingly, not all Napster clients appear to exhibit this behaviour
(for example, I've never seen any of the internal Napster clients sending
this sort of traffic).  Anyone know exactly which client sends these
distinctive ICMP packets?  My analyst spidey sense tingles whenever
I see something like this---namely distinctive behaviour in a client mirroring
conventions first seen in script kiddie tools.  And this is exacerbated
by the fact that I've seen a bunch of bogus traffic[1] inserted into the
middle of otherwise innocuous Napster sessions.

I haven't seen any overt nastiness directly correlated to any of this
ICMP traffic, but I'd still be quite interested to see some sort of
definitive[2] statement about what's causing it.






- -Steve

- -----
0       Mod the NAT device being compromised, and my audit trails
        say it isn't.
1       Laundry lists of TCP and IP flags set individually and in
        combination---i.e., stuff that looks like an OS detection
        scan.  Not coming from demon.co.uk.
2       Read:  Independently verifiable and reproducable.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.3 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6jEJoG3kIaxeRZl8RApodAJ9ym2z86fDYVXIQ7tSi3imIBiEKlQCcC9y1
+uwA+7K50QetzIukrZUD7BQ=
=st8C
-----END PGP SIGNATURE-----

Current thread:

What is this? Simeon Johnston (Feb 14)
- Re: What is this? Max Gribov (Feb 14)
  - Re: What is this? Andreas Östling (Feb 14)
    - ddos-stacheldraht server-spoof alerts ( Was: What is this?) Rod Longanilla (Feb 14)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Jacek Lipkowski (Feb 15)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Stephen P. Berry (Feb 16)
    - [no subject] Osvaldo J. Filho (Feb 16)
    - Re: ddos-stacheldraht server-spoof alerts ( Was: What is this?) Daniel Keisling (Feb 16)
- Re: What is this? Geoff the UNIX guy (Feb 14)
- Re: What is this? Jason Potopa (Feb 15)
  - Re: What is this? Simeon Johnston (Feb 15)