[Intrusions] LOW SLOW SMTP DOS from our clients.

kenneth gf brown ken at shadowplay.net
Sun Apr 10 03:13:07 GMT 2005 

fyi it was
misconfigued configure files in the 
cable modem tftp configs... 
don’t ask... I didn’t... got to the
point that I was sep (someone else's problem)
they fixed the config, issue went away. 

ken



> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> Jérémy Lebourdais
> Sent: April 6, 2005 04:11
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] LOW SLOW SMTP DOS from our clients.
> 
> 
> Maybe a "tcpdump -s 0 -w log" on the client side may help ?
> Or a router problem ? The client never receive the "go ahead" 
> packet so it never ACKs it ? Is it the same mail client on 
> all computers ? Hmmm, I remember that some Linksys routers 
> are firmware flashable ... Maybe an update is required, or it 
> has been bad-flashed ?
> 
> I guess for a router problem ;-)
> Could you tell us what was wrong when you would find it ?
> 
> --
> Lebourdais Jeremy
> Student in Network and Computer Sciences in France
> 
> 
> Le Sat, Feb 19, 2005 at 04:25:34PM -0600, kenneth gf brown a écrit:
> > 
> > we are attempting to figure out why a series of smtp clients are
> > causing multiple concurent connections attempts on smtp.
> > we have isolated a bit of the problem... 
> > 
> > these are clients authorised to use our out bouncd smtp server
> > 
> > basicly every 1' 15'' an affected smtp client,  exhibiting 
> a slow low 
> > dos behaviour, connects to our server. the smtp handshake 
> happens as 
> > in the capture below...
> > but upon our reciept of this packet (basicly the client 
> starting the DATA
> > part of the 
> > smtp connection...) after our send of go ahead (twice the 
> client ignores the
> > first one)
> > see the full capture below.
> > 
> > 00:26:41.334390 cli.ent.ipa.ddr.2580 > 
> ser.ver.ipa.ddr.smtp: . ack 105 
> > win 65431 (DF)
> > 0x0000   4500 0028 86c0 4000 7d06 a491 41c2 17ba        
> E..(.. at .}...A...
> > 0x0010   d8b1 a050 0a14 0019 59b9 4db3 3790 5e4e        
> ...P....Y.M.7.^N
> > 0x0020   5010 ff97 9646 0000 0000 0000 0000             
> P....F........
> > 
> snip ...
> 
> > 
> > 
> > 
> > 
> > ken at shadowplay.net                      http://www.shadowplay.net 
> > Phone:  204.284.3481                      Toll Free: 866.590.0023
> > Mobile: 204.470.9158
> > 
> > FOR CLIENT SUPPORT PLEASE CALL 204.470.9021
> > or email support at shadowplay.net
> > 
> > 
> > 
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org 
> > http://www.dshield.org/mailman/listinfo/intrusions
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
> __________ NOD32 1.1051 (20050409) Information __________
> 
> This message was checked by NOD32 antivirus system. 
> http://www.nod32.com
> 
>

More information about the Intrusions mailing list