[Intrusions] (no subject)

Jack McCarthy intrusion.list at jackmccarthy.com
Fri Nov 12 15:31:10 GMT 2004 

Looks like Chris may be right with respect to spoofing.  I contacted the Russian ISP, Corbina Telecom, and they believe the packets are spoofed.  I attached their reply below.

-------------------------------------
Good afternoon, Jack.

In reply to your letter of Thursday, 10:36 PM, 11/11/2004:

it seems to us that these're a fake packets because our client, that uses this network, has very small outgoing traffic now and they use only few ip-addresses, the most part of this network is unused 
-------------------------------------

-Jack



--- Chris Brenton <cbrenton at chrisbrenton.org> wrote:

> Hey Carles,
> 
> On Mon, 2004-11-08 at 19:00, Carles Fragoso i Mariscal wrote:
> >
> > We are receiving a strange set of ip fragments against one of our dns
> servers (A.B.C.D)
> 
> Not that strange, it looks like a standard attempt to exhaust resources.
> To cut and paste for a moment:
> 
> > 00:22:15.078691 83.102.166.7     > A.B.C.D: (frag 1861:25 at 512)
> > 00:22:20.986039 83.102.166.33    > A.B.C.D: (frag 38756:25 at 512)
> > 00:22:29.909213 83.102.166.44    > A.B.C.D: (frag 1718:25 at 512)
> > 00:22:33.038511 83.102.166.43    > A.B.C.D: (frag 57823:25 at 512)
> 
> So different frag ID's will cause different pools of memory to get
> allocated. They are trying to generate as many memory allocations as
> possible, in order to deny access from legitimate frags.
> 
> The 512 byte offset plus the 25 bytes of data is a bit weird as this
> exceeds the acceptable datagram size for DNS over UDP. Since the frags
> are never fully re-assembled however, it does not really matter. 
> 
> > which seems sourced from the same C class (83.102.166.0/24, a Russian ISP)
> 
> Be careful with that assumption. We're talking UDP so its trivial to
> spoof. Its far more likely someone is incrementing the source IP rather
> than all these IP's are involved in a coordinated attack. With this in
> mind, the true source could be anywhere.
> 
> > That network seems to be between 11 and 14 hops away giving a possible
> initial TTL of 60-64.
> 
> My money is on 64 at 14 hops away.
> 
> HTH,
> Chris
> 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
>

More information about the Intrusions mailing list