Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rise in spoofing and smurfing?

From: Stuart Sheldon <stu () actusa net>
Date: Fri, 01 Mar 2002 09:16:01 -0800
We've been seeing the same activity since Wednesday... Looks like our
range is being spoofed to attack DNS servers. It's not affecting us at
this time.

We have also seen an increase in port scans (mostly for squid and other
proxy servers) against us from an ap source... Welcome to the wonderful
world of the internet... :)

Stuart Sheldon


Glenn Forbes Fleming Larratt wrote:


In our educational Class B (obfuscated as 299.299.0.0/16 below), we've
seen a much higher than normal incidence,

1. in the last week or two, of what appear to be smurf attempts, e.g.
(mildly filtered Cisco syslogs):

Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet
Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet
Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet
        :
        :
Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet
Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet
Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet

2. in the last three days, of indications of our address space being
spoofed in huge quantity, presumably as part of DoS, decoy scanning,
or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many
cases implying "stimulus" hosts that don't exist in out network
[subnets 108 and 93 are unallocated within our Class B]):

02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 

207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56)

02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 
207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56)

Has anyone seen similar behavior?

        -g
--
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


-- 
The early bird who catches the worm works for someone who comes in late
and owns the worm farm.
                -- Travis McGee

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: