Security Incidents mailing list archives
RE: UDP traffic to net and broadcast addresses
From: "Joshua Wright" <Joshua.Wright () jwu edu>
Date: Thu, 3 Apr 2003 14:53:11 -0500
Zen, Sounds like a Fraggle attack (though it's pretty slow to be effective), where you might be an amplifier. Is the source address (a.b.c.d) an address that you recognize? If your customer doesn't need it, make sure "no ip directed-broadcast" is applied to their router interfaces that are connected to broadcast-medium (e.g. Ethernet). I'm pretty comfortable dropping traffic destined to a broadcast address at my enclave router, but your requirements may vary. -Joshua Wright Senior Network and Security Architect Johnson & Wales University Joshua.Wright () jwu edu http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
debugging on a customer router I trampled over some unusual traffic pattern: it is composed by udp packets, always from the same ip address random source port directed to the network and broadcast addresses of a network random destination port time-spaced around 2 seconds. This is an example from the logs Apr 2 10:41:03 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(14673) -> bcast-addr(146), 1 packet Apr 2 10:41:05 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(41383) -> bcast-addr(558), 1 packet Apr 2 10:41:08 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(17499) -> bcast-addr(328), 1 packet Apr 2 10:41:10 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(1124) -> bcast-addr(940), 1 packet Apr 2 10:41:11 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(32969) -> bcast-addr(549), 1 packet Apr 2 10:41:14 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(19998) -> net-addr(112), 1 packet Apr 2 10:41:15 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(24405) -> net-addr(251), 1 packet Apr 2 10:41:17 MET: %SEC-6-IPACCESSLOGP: list # denied udp a.b.c.d(6827) -> bcast-addr(497), 1 packet
---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- UDP traffic to net and broadcast addresses Zen (Apr 02)
- <Possible follow-ups>
- RE: UDP traffic to net and broadcast addresses Joshua Wright (Apr 03)