Security Incidents mailing list archives

Help with identifying scan/attack

From: "Derrick Teo" <deric () deric NET>
Date: Fri, 13 Jun 2003 18:35:43 +0800
Hi,

        This is my first post to this list (though lurking here has been
most informative), and I apologise in advance if any of this is offtopic.

        I would very much appreciate some help in identifying the nature of
a scan/attack on one of my servers earlier today.

        Snort picked up a series of packets of a wide range of protocols
with seemingly random (and mostly invalid) source and destination IPs. This
carried out continuously for about an hour. During this time, there was
massive lag and packet loss (roughly 2000ms ping with 50% loss) to even
hosts on the same (100MBit) switch even though MRTG showed only less than 5%
of the link in use. After the scan/attack stopped, ping times immediately
went back to normal.

        Has anyone else seen anything like this before?

Excerpts of logs follow:
-----
Jun 13 15:29:16 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IP} 16.0.155.69 -> 11.254.0.0
Jun 13 15:29:19 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {TCP} 0.0.136.8:0 -> 0.1.0.0:0
Jun 13 15:29:50 nemesis /kernel: arp: unknown hardware address format
(0xd004)
Jun 13 15:29:50 nemesis /kernel: arp: runt packet
Jun 13 15:29:51 nemesis snort: [116:3:1] (snort_decoder) WARNING: IP dgm len
< IP Hdr len! {MHRP} 59.144.0.250 -> 224.0.255.2
Jun 13 15:30:19 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {CHAOS} 171.133.96.4 -> 144.85.240.223
Jun 13 15:30:24 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IGMP} 151.196.71.254 -> 168.0.0.1
Jun 13 15:30:30 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO194} 155.64.11.14 -> 0.96.248.0
Jun 13 15:31:42 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {SAT-EXPAK} 155.5.202.0 -> 0.64.13.255
Jun 13 15:32:22 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO192} 128.0.128.248 -> 0.247.0.0
Jun 13 15:32:24 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IP} 0.8.128.8 -> 0.0.128.0
Jun 13 15:33:09 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO209} 59.5.10.14 -> 176.142.106.239
Jun 13 15:34:25 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO173} 169.0.136.152 -> 103.1.240.0
Jun 13 15:34:42 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IP} 0.250.42.91 -> 0.5.11.14
Jun 13 15:36:20 nemesis /kernel: arp: unknown hardware address format
(0x0070)
Jun 13 15:37:45 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {MHRP} 0.240.132.136 -> 0.1.0.0
Jun 13 15:38:20 nemesis /kernel: arp: unknown hardware address format
(0x0681)
Jun 13 15:38:50 nemesis snort: [116:2:1] (snort_decoder) WARNING: hlen <
IP_HEADER_LEN! {VRRP} 155.69.251.238 -> 230.0.0.112
Jun 13 15:38:57 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {CHAOS} 59.128.10.11 -> 155.21.11.255
Jun 13 15:39:10 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {UDP} 240.0.245.104:0 -> 155.69.2.255:0
Jun 13 15:39:12 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {CRUDP} 11.70.11.0 -> 7.208.15.2
Jun 13 15:39:27 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {VRRP} 155.5.13.14 -> 0.0.6.16
Jun 13 15:44:10 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {UDP} 0.16.13.48:0 -> 0.69.229.59:0
Jun 13 15:44:11 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IPLT} 0.0.130.232 -> 203.1.0.0
Jun 13 15:44:59 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO192} 14.208.132.40 -> 240.8.0.240
Jun 13 15:45:56 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO192} 32.4.128.240 -> 0.7.0.0
Jun 13 15:47:10 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IP} 0.0.136.8 -> 0.1.0.0
Jun 13 15:47:17 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IPENCAP} 3.111.0.103 -> 0.11.7.48
Jun 13 15:48:36 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {TCP} 0.0.136.8:0 -> 0.1.0.0:0
Jun 13 15:48:48 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO192} 128.0.128.240 -> 0.102.0.0
Jun 13 15:48:50 nemesis snort: [116:2:1] (snort_decoder) WARNING: hlen <
IP_HEADER_LEN! {XNET} 155.69.10.0 -> 155.0.11.239
Jun 13 15:49:53 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IP} 224.21.10.17 -> 144.69.11.255
Jun 13 15:49:54 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IPCV} 155.69.6.240 -> 144.0.214.102
Jun 13 15:49:54 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IPLT} 4.0.130.8 -> 203.7.0.0
Jun 13 15:52:00 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {PROTO241} 155.69.10.240 -> 144.0.87.102
Jun 13 15:52:35 nemesis snort: [116:2:1] (snort_decoder) WARNING: hlen <
IP_HEADER_LEN! {CHAOS} 11.29.252.0 -> 155.100.11.255
Jun 13 15:54:20 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {TCP} 0.10.136.8:0 -> 0.1.0.0:0
Jun 13 15:58:08 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {TRUNK-2} 155.69.0.254 -> 11.192.143.15
Jun 13 15:59:28 nemesis snort: [116:1:1] (snort_decoder) WARNING: Not IPv4
datagram! {IP} 4.1.0.0 -> 233.11.136.0



----------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:

Help with identifying scan/attack Derrick Teo (Jun 13)
- Re: Help with identifying scan/attack Valdis . Kletnieks (Jun 16)