Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange attack question - seems udp

From: Mihai Tanasescu <mihai () duras ro>
Date: Wed, 19 Oct 2005 05:14:03 +0300
Hello,
Thanks to all of you who answered and explained to me the possible causes and solutions.
Unfortunately I haven't been able to test them all as whatever was causing me problems has suddenly stopped; it's better to be prepared next time it happens. 

I'll try to filter out fragments on the Cisco to see what happens.


David Gillett wrote:


 Since the 1500 size is almost certainly an MTU, I'll guess
that those "offset" numbers are indicating that this is an
IP layer fragment; the UDP header information (including port
numbers) is at offset 0 and so is not available when examining
these fragments.

 There used to be a common brute-force DoS, often implemented
in VBasic, that went something like

 allocate buf[64K bytes]
 send to target
   repeat until killed
In my experience, the "send to target" was usually done with ICMP rather than UDP, but that's an implementation detail. The 
point was that this punted slicing of the buffer by MTU to the
IP layer, which is what you're seeing.

 IP-layer fragmentation is a very bad idea, not least because
the fragments have inadequate header information.  As you've found,
the reassembly process is rarely really robust, and can be subject
to DoS problems of its own.  So when you say
After receiving many packets like these on 3-4 interfaces, Cisco starts loosing packets and acts abnormal. 

I'm not terribly surprised.

REMEDY:  You can add an access list (or a line to your existing
access list) to block fragments.  Anybody who really cares about
talking to you will either do PMTUD or set a sane MTU.  These big
fragments will still try to take up your bandwidth (talk to your ISP about blocking them upstream), but your router will be stable. 

David Gillett





-----Original Message-----
From: Mihai Tanasescu [mailto:mihai () duras ro] Sent: Thursday, October 13, 2005 11:09 AM 
To: incidents () securityfocus com
Subject: Strange attack question - seems udp

Hello,

I've been getting things like these recently:
21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+], 
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+], 
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+], 
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+], length: 1500) 86.104.102.16 > 70.84.247.164: udp 21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+], 
length: 1500) 86.104.102.16 > 70.84.247.164: udp


I have 24 subnets inside a Cisco 3750.
After receiving many packets like these on 3-4 interfaces, Cisco starts loosing packets and acts abnormal.
I have gathered the output show above from a Linux machine with tcpdump which acts as a border router.
What I find strange is that there is no port specified (src,dst) and that the length of the packets is always 1500. 

Is there any way to filter something like this on the Cisco switch ?
Is it caused by a virus or by a human ? (I have seen it from 3-4 different interfaces at a time and with 4-6 different destination IPs) 


Any help will be greatly appreciated.


Sorry if I have  posted this to the wrong list.
Previous By Date Next
Previous By Thread Next

Current thread: