[unisog] 'bot file servers?

Pete Hickey pete at shadows.uottawa.ca
Thu May 1 00:19:34 GMT 2003


We saw somthing like this a few years ago.  It was a DDOS thing
If I remember, the machines would receive ICMP Echo replies
without having sent an ICMP echo. (ping).

In our case, there the "data" portion of the ICMP packet
contained the instructions on who to attack.  It found
its subnet, and sent the attack from random addresses
from the subnet.  The attack would only last for 5-10
minutes.  It wasn't easy to determine the machines from
which the attack originated.

This one seems similar, yet different.  If the ICMP packet
is an echo-reply, and it sends the data to the machine
sending it, all someone has to do to initiate the attack,
is to send pings with a forged source, to the victim
machine.


On Wed, Apr 30, 2003 at 06:26:23PM -0400, Johannes Ullrich wrote:
> 
> Kind of sounds like a possible DDOS net. Essentially the
> ICMP packet just triggers a specific packet flood.
> 
> Any packet traces? In particular the ICMP packet that
> initiates this? Is the source of the ICMP packet always
> the target of the UDP stream?
> 
> The ICMP packet could be spoofed, or it could some in
> response to a spoofed request. In particular as ICMP
> errors usually include the packet content, this is a
> nice way to bounce a covert channel.
> 
> 
> 
> On Wed, 2003-04-30 at 16:47, Jane DelFavero wrote:
> > Hi all,
> > 
> > We have come up against network behavior that I haven't encountered 
> > before, and I'd like to hear from anyone who has. We have a couple of 
> > machines which are pumping out large volumes of data, but it's not 
> > the normal P2P junk, or IRC, as far as we can see. There's an ICMP 
> > packet from a remote host, followed by a very large data transfer 
> > (about the size of an .avi movie file) via UDP back to that remote 
> > site.
> > 
> > Is this a trojan or backdoor (or other application) that anyone's seen before?
> > 
> > Thanks, Jane
> -- 
> --------------------------------------------------------------
> SANS Internet Storm Center
> http://isc.sans.org
> 
> This e-mail should be digitally signed. Some e-mail readers will
> show the signature as an unidentified attachment. Please install
> PGP (or GnuPG) to verify the signature.  




More information about the unisog mailing list