[Dshield] Port 16 traffic

Gene Marsh marshm at anycast.net
Sat Dec 24 00:28:42 GMT 2005


...or just implement a Netfilter-based firewall, properly configured, and be
done with it.  I've seen this type of attack as well.  It never has any
significant effect on any of the Linux/Netfilter systems I manage.

Gene... 

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Chris Brenton
Sent: Friday, December 23, 2005 11:54 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Port 16 traffic

On Fri, 2005-12-23 at 07:25 -0800, jmulkerin wrote:
>
> [Root]system-critical-00440: Fragmented traffic! From
> 216.234.234.34:20864 to DNSSERVER:16, proto UDP (zone Untrust, int 
> ethernet1). Occurred 1 times. (2005-12-23 07:18:39)
> 
> We have nothing running on port 16 and haven't found any covert 
> channels running on port 16.

My guess is its a resource exhaustion attack against the firewall. Port
16 has been chosen because it really does not matter. Its more about chewing
up memory on the stateful inspection firewall. 

A former student of mine wrote this up a while ago:
http://digital.net/~gandalf/Rose_Frag_Attack_Explained.htm

Problem is vendors have done very little and the attack is still valid.
In testing I've performed I've been able to get PIX to drop legitimate
fragments using a technique similar to the one described in the paper.
I've been able to get Netscreen firewalls to drop even non-fragmented
traffic and FW-1 to run about 30% higher in CPU.

So watch your levels and watch your drops (at the Ethernet level) to see if
this attack is whacking legitimate traffic. If it does, this can be resolved
by running something like Netfilter or pf in front of your main firewall. If
address space is an issue, run them in bridging mode.

HTH,
Chris


_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription options
(or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.5/212 - Release Date: 12/23/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.5/212 - Release Date: 12/23/2005
 



More information about the list mailing list