Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: UDP traffic to net and broadcast addresses

From: "Joshua Wright" <Joshua.Wright () jwu edu>
Date: Thu, 3 Apr 2003 14:53:11 -0500
Zen,

Sounds like a Fraggle attack (though it's pretty slow to be effective), where you might be an amplifier.  Is the source 
address (a.b.c.d) an address that you recognize?

If your customer doesn't need it, make sure "no ip directed-broadcast" is applied to their router interfaces that are 
connected to broadcast-medium (e.g. Ethernet).  I'm pretty comfortable dropping traffic destined to a broadcast address 
at my enclave router, but your requirements may vary.

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright () jwu edu 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


      debugging on a customer router I trampled over some unusual
      traffic pattern: it is composed by
      udp packets,
      always from the same ip address 
      random source port
      directed to the network and broadcast addresses of a network
      random destination port

      time-spaced around 2 seconds.

      This is an example from the logs

Apr  2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(14673) -> bcast-addr(146), 1 packet
Apr  2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(41383) -> bcast-addr(558), 1 packet
Apr  2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(17499) -> bcast-addr(328), 1 packet
Apr  2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(1124) -> bcast-addr(940), 1 packet
Apr  2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(32969) -> bcast-addr(549), 1 packet
Apr  2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(19998) -> net-addr(112), 1 packet
Apr  2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(24405) -> net-addr(251), 1 packet
Apr  2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp 
a.b.c.d(6827) -> bcast-addr(497), 1 packet


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents
Previous By Date Next
Previous By Thread Next

Current thread: