"White, Tim" wrote:
>
> I am getting these destined for networks behind my firewall (application
> gateway), which does not pass ANY ICMP, in or out. They are also destined
> for 24 bit network addresses (i.e. 172.16.12.0). What is really odd about
> these is that they are slowly covering my entire class B at early morning
> hours. They are sourced from about 20 routers covering a broad area.
We've been seeing *a lot* of these over on SANS as well. See:
http://www.sans.org/y2k.htm
I posted a bit of info on this here a few days ago. Let me give a bit of
an update as to what we've found.
What appears to be happening is the attacker generates traffic to a
remote system but sets the TTL value in the packet to be just a few hops
short of what's needed to get there. A majority of the packets are
echo-request, but we've seen a few TCP and UDP packets as well. The
source address of these packets is spoofed. The value is a .0 address
from within the target network's subnet range.
So the attacker transmits the above packet. While in transit, the TTL
drops to zero. The router receiving the TTL 0 packet realizes it can not
forward it and issues a time exceeded (ICMP type 11) packet back to the
spoofed source address. So what you are seeing in your logs is the error
code generated by the spoofed packets when the TTL expires.
A couple of odd things about this traffic pattern:
The type 11 packets are small, requiring *many* to be an effective DoS
The type 11's are actually smaller than the packets needed to generate
them. ;)
Target subnets always seem to be class A and B networks
Spoofed IP address always seems to be x.x.x.0
All "sets" of attacks on a particular subnet appear to originate from a
single host
There are actually very few hosts performing this attack pattern
I think the whole idea of this attack is its suppose to be "stealthy"
and cause confusion. The source of the type 11's are multiple backbone
routers from around the Internet. This makes it appear as multiple hosts
are launching a coordinated attack. If you track back the IP address,
people may become additional concerned if they think one of these
routers have been compromised.
So how to track it? One of the nice things about this traffic pattern is
that its pretty lame as far as DoS attacks go. The attacker needs to
generate a packet for every packet seen by the target network (and as
mentioned above, a bigger one at that). I think the idea was that
transmitting to x.x.x.0 would perform some from of amplification on the
target network itself, but I have yet to see a single person report
this. They may also be attempting to leverage the fact that many
filtering firewalls allow type 11 packets into the internal network.
Now, if you can decode the type 11 packets you are seeing, they will
include the first 64 bits of the original packet transmitted by the
attacker. This means you now know the IP address of the destination
within the echo-request packet as well as the IP address of the router
issuing the type 11. Drawing a straight line back brings you to the
major provider where the attack originated. In fact I'm seeing that the
attacker's attempt to randomize the number of routers issuing the type
11's actually helps in triangulating their location. Now its just a
matter of using something like MCI's DosTracker to ID the offending
system.
Of course none of this would be a problem if we all did ingress
filtering, but I will not go there... ;)
Cheers,
Chris
--
**************************************
cbrenton_at_sover.net
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
Received on Jan 01 2000
Intro
