[Dshield] 1026-27

Frank Knobbe frank at knobbe.us
Thu Aug 11 16:36:32 GMT 2005


On Thu, 2005-08-11 at 12:14 -0400, Paul Marsh wrote:
> Firewall? Hey that's a good idea, only kidding ;)  I understand what
> they are.  I guess I should have been a little more detailed in my first
> post.  Are the source ports accurate or spoofed?  I guess I'm looking
> for a way to get to the bottom of this stuff and get it shut down.  My
> log is split 50% 1026 and 45% 1027, it's a pain in the butt trying to
> find legit stuff through all this freaking noise.

Gotcha. I was concerned about that too and at first didn't have those
cause a block via Snortsam, but then I just took a stab at it. It seems
that a lot of this is coming from the same IP addresses, which doesn't
look spoofed to me (at least not randomly spoofed, heh). However, if
have also seen ICMP unreachable packets coming in on client networks
that where in response to claimed outbound UDP 1026 packets. Confident
knowing the client isn't infected, we set up a trap and indeed it
appears that no outbound packet was sent, but an ICMP Unreachable from
somewhere came in claiming that it was set from that address. So, some
of that traffic does appear to be spoofed.

I haven't broken that down based on actual content of the pop-up. It is
plausible that certain pop-ups are spoofed while others are sent from
infected machines retaining their correct address.

Sounds like a fun project for someone interested... to map which pop-up
(based on content) is spoofed, and which is not.

Cheers,
Frank


-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20050811/a406908d/attachment.bin


More information about the list mailing list