[unisog] 'bot file servers?

Johannes Ullrich jullrich at sans.org
Wed Apr 30 22:26:23 GMT 2003


Kind of sounds like a possible DDOS net. Essentially the
ICMP packet just triggers a specific packet flood.

Any packet traces? In particular the ICMP packet that
initiates this? Is the source of the ICMP packet always
the target of the UDP stream?

The ICMP packet could be spoofed, or it could some in
response to a spoofed request. In particular as ICMP
errors usually include the packet content, this is a
nice way to bounce a covert channel.



On Wed, 2003-04-30 at 16:47, Jane DelFavero wrote:
> Hi all,
> 
> We have come up against network behavior that I haven't encountered 
> before, and I'd like to hear from anyone who has. We have a couple of 
> machines which are pumping out large volumes of data, but it's not 
> the normal P2P junk, or IRC, as far as we can see. There's an ICMP 
> packet from a remote host, followed by a very large data transfer 
> (about the size of an .avi movie file) via UDP back to that remote 
> site.
> 
> Is this a trojan or backdoor (or other application) that anyone's seen before?
> 
> Thanks, Jane
-- 
--------------------------------------------------------------
SANS Internet Storm Center
http://isc.sans.org

This e-mail should be digitally signed. Some e-mail readers will
show the signature as an unidentified attachment. Please install
PGP (or GnuPG) to verify the signature.  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/unisog/attachments/20030430/c17a2515/attachment-0007.bin


More information about the unisog mailing list