Re: Attack/DoS

4 Jun 1998

      At 11:38 PM 6/3/98 -0400, Perry E. Metzger wrote:
...
"Todd R. Stroup" writes:
...
Don't know if it is just me.  But over the last 10 hours we have been
seeing attacks on port 0 from port 0 (both tcp and udp) on several clients
networks.  I have also seen the same attack on port udp 53(DNS).
Anyone have any information on this?
What do you mean by an "attack"? Are you being flooded? Are the
packets somehow "interesting"? Without details the information is
useless.
Port 0, btw, is not generally valid, and most proper TCP and UDP
implementations will just send an ICMP Unreachable back when they get
such a packet.
Perry
Perry,

Here are some logs of slightly different format that show the same attack
Todd writes about:

Jun  3 17:02:47 eth0-core0 kernel: IP acct in eth0 UDP 199.199.125.28:53
209.115.17.67:53 L=57 S=0x00 I=47916 F=0x0000 T=49
Jun  3 17:02:47 eth0-core0 kernel: IP acct out eth2 UDP 199.199.125.28:53
209.115.17.67:53 L=57 S=0x00 I=47916 F=0x0000 T=48
Jun  3 17:02:47 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
199.199.125.28 L=119 S=0xC0 I=63767 F=0x0000 T=64
Jun  3 17:02:47 eth0-core0 kernel: IP acct in eth0 UDP 165.113.1.73:53
209.115.17.66:53 L=56 S=0x00 I=25895 F=0x0000 T=57
Jun  3 17:02:47 eth0-core0 kernel: IP acct out eth2 UDP 165.113.1.73:53
209.115.17.66:53 L=56 S=0x00 I=25895 F=0x0000 T=56
Jun  3 17:02:47 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
165.113.1.73 L=118 S=0xC0 I=63769 F=0x0000 T=64
Jun  3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 166.93.1.3:63098
209.115.17.66:53 L=56 S=0x00 I=44767 F=0x0040 T=245
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 166.93.1.3:63098
209.115.17.66:53 L=56 S=0x00 I=44767 F=0x0040 T=244
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
166.93.1.3 L=118 S=0xC0 I=63770 F=0x0000 T=64
Jun  3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 198.81.19.238:4569
209.115.17.66:53 L=59 S=0x00 I=34977 F=0x0000 T=20
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 198.81.19.238:4569
209.115.17.66:53 L=59 S=0x00 I=34977 F=0x0000 T=19
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
198.81.19.238 L=121 S=0xC0 I=63771 F=0x0000 T=64
Jun  3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 128.112.129.15:56224
209.115.17.66:53 L=58 S=0x00 I=50842 F=0x0040 T=247
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP
128.112.129.15:56224 209.115.17.66:53 L=58 S=0x00 I=50842 F=0x0040 T=246
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
128.112.129.15 L=120 S=0xC0 I=63772 F=0x0000 T=64
Jun  3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 158.152.1.81:53
209.115.17.67:53 L=56 S=0x00 I=21310 F=0x0000 T=53
Jun  3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 158.152.1.81:53
209.115.17.67:53 L=56 S=0x00 I=21310 F=0x0000 T=52

The thing that makes it "interesting" is the fact that most implementations
DO send an ICMP unreach back.  The ICMP Unreach traffic alone generated in
the neighborhood of 1.7Mb before they routed the netblock in question to a
loopback interface on the 7507.  The attacker was sending less that 300Kb
of traffic and consuming 2Mb.

-------
John Fraizer    (root)          |    __   _                 |
The System Administrator        |   / /  (_)__  __ ____  __ | The choice
mailto:root@EnterZone.Net       |  / /__/ / _ \/ // /\ \/ / |  of a GNU
http://www.EnterZone.Net/       | /____/_/_//_/\_,_/ /_/\_\ | Generation
                     A 486 is a terrible thing to waste...