Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: unidentified DOS "bad traffic"
From: Alain Fauconnet <alain () cscoms net>
Date: Fri, 14 Mar 2003 10:55:31 +0700
Hello,

On Thu, Mar 13, 2003 at 03:53:59PM -0600, DY wrote:


Twice in the past week I have experienced a severe DOS condition on my
network.  A particular host has been completely flooding the network with
some sort of traffic that chokes the whole thing.  Now, on the first
incident I was unable to obtain packet trace data (I'll spare the details)
and was forced to reconnect the particular segment's port.  We got by for
a few days, and then wham, it happened again.  This time I isolated the
segment with a Snort sensor and captured a large amount of data (actually,
I only sniffed for a few seconds before I'd already swallowed about 10 MB
of data, all of which was identical, so I stopped).  My Snort output on
this trace was filled with nothing but bizillions of these entries
(payload did vary a little):


03/13-07:53:50.650383 10.1.2.3 -> 64.12.165.57
PROTO255 TTL:128 TOS:0x0 ID:50456 IpLen:20 DgmLen:80


Looks very close to something I've experienced recently  as  well.  My
research has pointed me to the following places:

http://lists.insecure.org/lists/incidents/2002/May/0026.html
http://cert.uni-stuttgart.de/archive/incidents/2002/05/msg00026.html

This is about a DoS  and  warez  distribution  IRC  BOT.  It  uses  IP
protocol 255 also.



"bad traffic," resolves (reverse) to irc-m.icq.aol.com.


Same  for  me!  also  2   other   IPs   in   cable.midspring.com   and
mdweb1.c.mad.interhost.com (Spain)


4) There was so much of this traffic that it shut my network down.  My
main router (Cisco) reported no appreciable CPU consumption during the
attack.  It just appears that the sheer volume of the [bad] packets choked
everybody out.


Ditto.

Hope that helps,
_Alain_

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]