nanog mailing list archives

Attack/DoS

From: "Todd R. Stroup" <tstroup () fnsi net>
Date: Wed, 3 Jun 1998 17:52:52 -0400 (EDT)



Don't know if it is just me.  But over the last 10 hours we have been
seeing attacks on port 0 from port 0 (both tcp and udp) on several clients
networks.  I have also seen the same attack on port udp 53(DNS). 

Anyone have any information on this?  


Todd R. Stroup
Fiber Network Solutions, Inc.

---------- Forwarded message ----------
Date: Mon, 1 Jun 1998 21:58:17 -0500
From: "J.A. Terranson" <sysadmin () MFN ORG>
To: BUGTRAQ () NETSPACE ORG
Subject: (Admittedly Premature) Exploit (?) Warning.

While I realize that this issue may not yet be "ripe", as I the folks involved
(myself and at least three other sites) have not yet firmly established just
*exactly* what is going on here, but...

There appears to be some kind of exploit making the rounds that utilizes
TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143.  These
packet traces are right now available only as historical log entries that are
*loosely* associated with 2 successful "root" attacks against IMAP enabled
servers, an unsuccessful attack against another (ours), and the possible
compromise of another.

        In short, I dont know a lot, other than in the course of reviewing my
daily logs, I saw a couple of freaky packets (above) addressed to my
nameservers (both of them).  They were rejected and logged at the routers,
however, as a common courtesy, we notified the admin of the "sending"
machine that they had a sick box.  As it developed, this person had
recieved other emails regarding this from other admins, 2 of which had
suffered the successful attacks mentioned above - all of us seeing the
originating machine as the same box.  It is unknown if the source address was spoofed.

        Basically, I think this is just a "common-cause" warning to look out
for weird packets of this nature, and to take notice if you see any.

        Rather than keep a running blow-by-blow going on the various lists,
please address anything regarding this to me directly...

Thanks
J.A. Terranson
sysadmin () mfn org

Current thread:

Attack/DoS Todd R. Stroup (Jun 03)
- Re: Attack/DoS Perry E. Metzger (Jun 03)
- <Possible follow-ups>
- RE: Attack/DoS Todd R. Stroup (Jun 03)
- Re: Attack/DoS John Fraizer (Jun 04)