RE: Attack/DoS

["Todd R. Stroup" <tstroup () fnsi net>]

Thanks for all of your responses... but

1) I don't really need the consultants replys saying that you will fix my
problems for $100/hour.  

2) This isn't the BIND 8.x.x problem for getting root.  For this reason :

interface Loopback10
 ip address 209.115.17.65 255.255.255.224
 ip access-group 113 out

Its rather difficult to get BIND to run on a Cisco 7507, although some 
people probably have tried to get it to work.

We are viewing this from a cisco router with an access-list that 
basically looks like this :

        access-list 113 permit ip any any log

Example of the udp port 0 attack :

list 113 permitted udp 38.9.202.2(0) -> 209.115.17.67(0), 1 packet
list 113 permitted udp 194.66.96.2(0) -> 209.115.17.67(0), 1 packet
list 113 permitted udp 199.191.128.106(0) -> 209.115.17.67(0), 1 packet
list 113 permitted udp 194.62.44.10(0) -> 209.115.17.66(0), 1 packet

Example of the DNS (53) attack :

list 113 permitted udp 207.150.3.11(53) -> 209.115.17.66(53), 121 packets
list 113 permitted udp 203.77.1.1(53) -> 209.115.17.67(53), 1 packet
list 113 permitted udp 194.62.44.10(53) -> 209.115.17.67(53), 2 packets
list 113 permitted udp 194.66.96.2(53) -> 209.115.17.67(53), 91 packets

An interesting thing to note is who ever programed this attack used the 
same IP addresses in a round robin type fashion for both (or maybe it is 
just selectable in the DoS, who knows).  


Todd R. Stroup
Fiber Network Solutions, Inc.


> From: Todd R. Stroup [mailto:tstroup () FNSI NET]
> Sent: Wednesday, June 03, 1998 3:53 PM
> To:   BUGTRAQ () NETSPACE ORG
> Subject:      Attack/DoS
>
> Don't know if it is just me.  But over the last 10 hours we have been
> seeing attacks on port 0 from port 0 (both tcp and udp) on several clients
> networks.  I have also seen the same attack on port udp 53(DNS).
>
> Anyone have any information on this?
>
>
> Todd R. Stroup
> Fiber Network Solutions, Inc.
>
>
> > ---------- Forwarded message ----------
> > Date: Mon, 1 Jun 1998 21:58:17 -0500
> > From: "J.A. Terranson" <sysadmin () MFN ORG>
> > To: BUGTRAQ () NETSPACE ORG
> > Subject: (Admittedly Premature) Exploit (?) Warning.
> >
> > While I realize that this issue may not yet be "ripe", as I the folks involved
> > (myself and at least three other sites) have not yet firmly established just
> > *exactly* what is going on here, but...
> >
> > There appears to be some kind of exploit making the rounds that utilizes
> > TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143.  These
> > packet traces are right now available only as historical log entries that are
> > *loosely* associated with 2 successful "root" attacks against IMAP enabled
> > servers, an unsuccessful attack against another (ours), and the possible
> > compromise of another.
> >
> >         In short, I dont know a lot, other than in the course of reviewing my
> > daily logs, I saw a couple of freaky packets (above) addressed to my
> > nameservers (both of them).  They were rejected and logged at the routers,
> > however, as a common courtesy, we notified the admin of the "sending"
> > machine that they had a sick box.  As it developed, this person had
> > recieved other emails regarding this from other admins, 2 of which had
> > suffered the successful attacks mentioned above - all of us seeing the
> > originating machine as the same box.  It is unknown if the source address was spoofed.
> >
> >         Basically, I think this is just a "common-cause" warning to look out
> > for weird packets of this nature, and to take notice if you see any.
> >
> >         Rather than keep a running blow-by-blow going on the various lists,
> > please address anything regarding this to me directly...
> >
> > Thanks
> > J.A. Terranson
> > sysadmin () mfn org