Snort mailing list archives
Re: Possible DOS Attack??
From: ICPPhila_Email_Review () icpphil navy mil
Date: Tue, 19 Jun 2001 08:03:36 -0400
Jay, You might want to do a quick check to see if you picked up a zombie/bot on one of your machines. IRC is known for providing servers to those that would be engaged in this kind of thing. Try running a "netstat -an | grep 6667" This is a much used port for bots that need to check in with the zombie master. Since IRC servers generally require the presence of a "ident" server on the client machine, you can also run a "netstat -an | grep 113" (of course, if you are using a windows machine, just replace grep with a find "113" or "6667"). For a very good anatomy of a DDOS attack, take a look at http://grc.com. It is too bad that some people feel the need to be assholes. Good luck, Craig Woods Phil Wood wrote:
Jay, In the future, I'd try to include as much interpretation as possible so others can have enough information to go on. A closer look at the hex of the IP packet indicates that it is an ICMP *Echo* request to the broadcast address. I don't think that the Internet routes to 255.255.255.255. That would be bad. A node much closer to home is sending the packet, unless there has been some address translation going on (192.70.0.255 -> 255.255.255.255) by the "router" on the network you are monitoring. The source address may or may not be spoofed. From a disrupter's standpoint it's much better to forge the source address to be some host inimical to the disrupter. That way any hosts on your network that respond to broadcast pings will cause additional "damage" to the source address. You should look at a arp table for the network you are monitoring and find: 00 30 80 18 83 c1 which is the arp address of the "router" sending the offending packet inbound. Also, the identifier and sequence number are zero. I'd expect a zero sequence number for the first packet sent. Usually, the identifier is non zero. But there might be a distrupter tool that uses zero. That's my take. Any other ideas out there? Thanks, Phil 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | VER=4 | IHL=5 | ROU | | | | | | Total Length = 1072 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identification = 44107 | |D| | Fragment Offset = 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TTL=242 | Protocol = 1 | Header Checksum = 44151 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Address = 216.80.83.185 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Address = 255.255.255.255 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ RFC792: INTERNET CONTROL MESSAGE PROTOCOL, September 1981 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 8 | Code = 0 | Checksum = 63487 | Echo Request 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier = 0 | Sequence Number = 0 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ : 00000000 0000 : : +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ On Mon, Jun 18, 2001 at 10:40:57AM -0400, Jay Moore wrote:I have been recieving ICMP requests from the following IP address since 4am
this morning. The icmp requests are being send to every host in my IP range (209.192.70.0/24 and 208.5.208.0/24). The destination field says 255.255.255.255 the source field is 216.80.83.185 (irc.plur.net some ISP in chicago owns this IP). It does not seem to be affecting my bandwidth. I need help in determining if this is a real DOS attack. I have tried to scan with nessus the attacking IP, but the IP is not responding. Does the packets below tell me anything else. Not sure where to start. Thanks in advance.
Incoming packet: from 216.80.83.185 to 255.255.255.255 0000 ff ff ff ff ff ff 00 30 80 18 83 c1 08 00 45 00 .......0 ......E. 0010 04 30 ac 4b 40 00 f2 01 ac 77 d8 50 53 b9 ff ff .0.K@... .w.PS... 0020 ff ff 08 00 f7 ff 00 00 00 00 00 00 00 00 00 00 ........ ........ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ...... reply packet from 208.5.208.254 to 216.80.83.185 to 0000 00 30 80 18 83 c1 00 01 02 26 17 0d 08 00 45 00 .0...... .&....E. 0010 04 30 ef de 00 00 ff 01 fa df d0 05 d0 fe d8 50 .0...... .......P 0020 53 b9 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 S....... ........ 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 02f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 0430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ...... #-- Jay Moore, Chief Engineer #-- Don't meddle in the affairs of hackers for they are subtle and quick to
anger> > uptime|perl -e 'print"TrueSysAdmin\n" if($_=<STDIN>)=~/^(.*)/;'
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Possible DOS Attack?? ICPPhila_Email_Review (Jun 19)
- <Possible follow-ups>
- RE: Possible DOS Attack?? Steve Halligan (Jun 19)
- Re: Possible DOS Attack?? ICPPhila_Email_Review (Jun 19)