At 11:38 PM 6/3/98 -0400, Perry E. Metzger wrote:
"Todd R. Stroup" writes:
Don't know if it is just me. But over the last 10 hours we have been seeing attacks on port 0 from port 0 (both tcp and udp) on several clients networks. I have also seen the same attack on port udp 53(DNS).
Anyone have any information on this?
What do you mean by an "attack"? Are you being flooded? Are the packets somehow "interesting"? Without details the information is useless.
Port 0, btw, is not generally valid, and most proper TCP and UDP implementations will just send an ICMP Unreachable back when they get such a packet.
Perry
Perry, Here are some logs of slightly different format that show the same attack Todd writes about: Jun 3 17:02:47 eth0-core0 kernel: IP acct in eth0 UDP 199.199.125.28:53 209.115.17.67:53 L=57 S=0x00 I=47916 F=0x0000 T=49 Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth2 UDP 199.199.125.28:53 209.115.17.67:53 L=57 S=0x00 I=47916 F=0x0000 T=48 Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65 199.199.125.28 L=119 S=0xC0 I=63767 F=0x0000 T=64 Jun 3 17:02:47 eth0-core0 kernel: IP acct in eth0 UDP 165.113.1.73:53 209.115.17.66:53 L=56 S=0x00 I=25895 F=0x0000 T=57 Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth2 UDP 165.113.1.73:53 209.115.17.66:53 L=56 S=0x00 I=25895 F=0x0000 T=56 Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65 165.113.1.73 L=118 S=0xC0 I=63769 F=0x0000 T=64 Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 166.93.1.3:63098 209.115.17.66:53 L=56 S=0x00 I=44767 F=0x0040 T=245 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 166.93.1.3:63098 209.115.17.66:53 L=56 S=0x00 I=44767 F=0x0040 T=244 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65 166.93.1.3 L=118 S=0xC0 I=63770 F=0x0000 T=64 Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 198.81.19.238:4569 209.115.17.66:53 L=59 S=0x00 I=34977 F=0x0000 T=20 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 198.81.19.238:4569 209.115.17.66:53 L=59 S=0x00 I=34977 F=0x0000 T=19 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65 198.81.19.238 L=121 S=0xC0 I=63771 F=0x0000 T=64 Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 128.112.129.15:56224 209.115.17.66:53 L=58 S=0x00 I=50842 F=0x0040 T=247 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 128.112.129.15:56224 209.115.17.66:53 L=58 S=0x00 I=50842 F=0x0040 T=246 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65 128.112.129.15 L=120 S=0xC0 I=63772 F=0x0000 T=64 Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 158.152.1.81:53 209.115.17.67:53 L=56 S=0x00 I=21310 F=0x0000 T=53 Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 158.152.1.81:53 209.115.17.67:53 L=56 S=0x00 I=21310 F=0x0000 T=52 The thing that makes it "interesting" is the fact that most implementations DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in the neighborhood of 1.7Mb before they routed the netblock in question to a loopback interface on the 7507. The attacker was sending less that 300Kb of traffic and consuming 2Mb. ------- John Fraizer (root) | __ _ | The System Administrator | / / (_)__ __ ____ __ | The choice mailto:root@EnterZone.Net | / /__/ / _ \/ // /\ \/ / | of a GNU http://www.EnterZone.Net/ | /____/_/_//_/\_,_/ /_/\_\ | Generation A 486 is a terrible thing to waste...
participants (1)
-
John Fraizer