Security Incidents mailing list archives
RE: What am I seeing?
From: Rob Keown <Keown () MACDIRECT COM>
Date: Tue, 23 Oct 2001 11:35:48 -0400
Fraggle is like a smurf, a packet-amplification attack. Are you doing any ingress filtering... http://www.cert.org/archive/pdf/DoS_trends.pdf -----Original Message----- From: jkruser [mailto:jkruser () adelphia net] Sent: Tuesday, October 23, 2001 11:08 AM To: incidents () securityfocus com Cc: focus-ids () securityfocus com; vuln-dev () securityfocus com Subject: What am I seeing? Sorry about the crosspost but I am really in a pickle. I know this is a DoS, but how is it being done? The origination points are all over my C-net but I cannot believe all of these hosts are compromised. Any idea's on how to stop/track this? 59, 2001-10-23 02:57:25, 2002001, SNMP Corrupt, MY.C.BLOCK.175, , 0.0.0.0, , , 1 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.177, , 0.0.0.0, , dstport=7&srcport=21497, 1 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.233, , 0.0.0.0, , dstport=17&srcport=549, 1 79, 2001-10-23 02:57:31, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.58, , 0.0.0.0, , dstport=19&srcport=17541, 1 59, 2001-10-23 02:58:10, 2002001, SNMP Corrupt, MY.C.BLOCK.200, , 0.0.0.0, , , 1 79, 2001-10-23 02:58:12, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.212, , 0.0.0.0, , dstport=7&srcport=36679, 1 79, 2001-10-23 02:58:12, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.92, , 0.0.0.0, , dstport=17&srcport=50187, 1 59, 2001-10-23 02:58:19, 2002001, SNMP Corrupt, MY.C.BLOCK.72, , 0.0.0.0, , , 1 79, 2001-10-23 02:58:23, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.65, , 0.0.0.0, , dstport=7&srcport=63300, 1 79, 2001-10-23 02:58:23, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.197, , 0.0.0.0, , dstport=17&srcport=38775, 1 79, 2001-10-23 02:58:23, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.127, , 0.0.0.0, , dstport=19&srcport=54070, 1 59, 2001-10-23 02:58:25, 2002001, SNMP Corrupt, MY.C.BLOCK.125, , 0.0.0.0, , , 1 59, 2001-10-23 02:59:27, 2002001, SNMP Corrupt, MY.C.BLOCK.109, , 0.0.0.0, , , 1 79, 2001-10-23 02:59:29, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.117, , 0.0.0.0, , dstport=7&srcport=13929, 1 79, 2001-10-23 02:59:29, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.26, , 0.0.0.0, , dstport=19&srcport=22847|47998, 2 79, 2001-10-23 02:59:36, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.48, , 0.0.0.0, , dstport=7&srcport=35113, 1 59, 2001-10-23 02:59:55, 2002001, SNMP Corrupt, MY.C.BLOCK.224, , 0.0.0.0, , , 1 79, 2001-10-23 03:00:07, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.226, , 0.0.0.0, , dstport=7&srcport=30975, 1 79, 2001-10-23 03:00:07, 2000205, Possible Fraggle attack initiated, MY.C.BLOCK.36, , 0.0.0.0, , dstport=17&srcport=17726, 1 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- What am I seeing? jkruser (Oct 23)
- <Possible follow-ups>
- RE: What am I seeing? Rob Keown (Oct 23)
- RE: What am I seeing? jkruser (Oct 23)
- Re: What am I seeing? Mike Lewinski (Oct 23)
- Re: What am I seeing? Valdis . Kletnieks (Oct 23)
- RE: What am I seeing? jkruser (Oct 23)
- Re: What am I seeing? Bill_Royds (Oct 23)
- Re: What am I seeing? Richard . Smith (Oct 23)
- Re: What am I seeing? 'Bill Scherr IV, GCIA' (Oct 25)