[unisog] DoS activity: Rapid IP spoofing and TCP port 5999 dest?

Tracey Losco tal1 at its.nyu.edu
Wed Oct 29 17:52:55 GMT 2003


We also experienced a similar incident on our ResNet network last 
night.  Our machine appeared to be targeting a machine in Portugal. 
Once I have more information, I'll send it out to the list.

Tracey

--------------------------------------------------------------------
Tracey Losco
Network Security Analyst		security at nyu.edu
ITS - Network Services		http://www.nyu.edu/its/security
New York University			(212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5

At 8:32 PM -0500 10/28/03, Clarke Morledge wrote:
>We experienced a really weird Denial of Service attack today.
>
>Four systems across our campus at the same time (between 1:00 and 1:30 PM
>EST) started to send tons of TCP SYN packets to a single IP destination
>address.  However, all of the sources were spoofed IPs belonging to
>networks different from ours.  We were seeing packets being generated at
>about 7000 per second.  The generation of the spoofed IPs appeared to be
>random.
>
>In this particular case, the destination IP was 69.50.166.41, and most of
>the traffic was directed towards TCP 5999.  But we did see some traffic
>going towards a variety of other high number ports, notably 6667,
>presumably an IRC channel?
>
>Unfortunately, this created a DoS on our flow-based routers since the CPU
>overhead required to keep up with creating new flows (and tearing down old
>ones) effectively wiped out our routers.
>
>We blocked the destination IP at our campus edge from sending any packets
>in, and we had to apply anti-spoofing measures at each of our interior
>routed interfaces to minimize the DoS (we normally only employ
>anti-spoofing measures at the campus edge).  We knocked the systems off of
>the net, but we are still chasing down the machines to get a look at what
>is on them.
>
>Then a few hours later, we noticed another DoS attack in the same style.
>However, a different destination IP was involved with different locally
>infected systems.  Same destination port range, same IP spoofing, etc. 
>Unfortunately, the attack only lasted a few minutes before it disappeared.
>
>We have not been able to identify the trigger for the DoS.  Any insight
>from others would be greatly appreciated.   I can not figure out if the
>DoS we saw was simply an end in and of itself, or if it was meant to be
>cloak for something else.
>
>I have included a sample tcpdump output involving one infected system
>below....
>
>
>Clarke Morledge
>College of William and Mary
>Information Technology - Network Engineering
>Jones Hall (Room 18)
>Williamsburg VA 23187
>757-221-1536
>chmorl at wm.edu
>
>
>----------------------------------------------------------------------
>
>15:43:49.861912 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>219.188.116.173.1240 > 69.50.166.41.5999: S 783810560:783810560(0) win
>16384
>15:43:49.861949 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>179.50.146.111.1862 > 69.50.166.41.6667: S 803864576:803864576(0) win
>16384
>15:43:49.862004 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 179.164.18.3.1990
>  > 69.50.166.41.5999: S 1158348800:1158348800(0) win 16384
>15:43:49.862058 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>241.253.233.86.1999 > 69.50.166.41.7955: S 721027072:721027072(0) win
>16384
>15:43:49.862167 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>29.116.248.238.1822 > 69.50.166.41.6283: S 1406926848:1406926848(0) win
>16384
>15:43:49.862170 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>188.168.132.76.1027 > 69.50.166.41.5999: S 1788280832:1788280832(0) win
>16384
>15:43:49.862276 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 47.186.163.58.1199
>>  69.50.166.41.6667: S 1542848512:1542848512(0) win 16384
>15:43:49.862284 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 114.40.118.84.1914
>>  69.50.166.41.5999: S 1717698560:1717698560(0) win 16384
>15:43:49.862387 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 190.87.44.124.1725
>>  69.50.166.41.8383: S 1784217600:1784217600(0) win 16384
>15:43:49.862391 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>12.239.211.207.1004 > 69.50.166.41.2989: S 1817378816:1817378816(0) win
>16384
>15:43:49.862442 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>38.228.236.123.1045 > 69.50.166.41.5999: S 1818361856:1818361856(0) win
>16384
>15:43:49.862500 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>157.95.216.150.1899 > 69.50.166.41.6667: S 734199808:734199808(0) win
>16384
>15:43:49.862550 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>173.236.28.111.1427 > 69.50.166.41.5999: S 2047672320:2047672320(0) win
>16384
>15:43:49.862605 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>173.226.162.197.1072 > 69.50.166.41.8918: S 307560448:307560448(0) win
>16384
>15:43:49.862669 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 21.196.228.91.1055
>>  69.50.166.41.4614: S 561250304:561250304(0) win 16384
>15:43:49.862723 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>238.127.176.224.1032 > 69.50.166.41.5999: S 934739968:934739968(0) win
>16384
>15:43:49.862777 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 57.36.75.35.1502 >
>69.50.166.41.6667: S 1140391936:1140391936(0) win 16384
>15:43:49.862830 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>181.240.254.57.1234 > 69.50.166.41.5999: S 720502784:720502784(0) win
>16384
>15:43:49.862885 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>208.230.198.187.1174 > 69.50.166.41.2843: S 913965056:913965056(0) win
>16384
>15:43:49.862937 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 209.201.54.0.1160
>>  69.50.166.41.2501: S 575930368:575930368(0) win 16384
>15:43:49.863013 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 242.165.72.64.1031
>>  69.50.166.41.5999: S 880148480:880148480(0) win 16384
>15:43:49.863051 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>17.150.170.126.1909 > 69.50.166.41.6667: S 1183514624:1183514624(0) win
>16384
>15:43:49.863102 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>17.234.157.120.1970 > 69.50.166.41.5999: S 1259732992:1259732992(0) win
>16384
>15:43:49.863155 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>143.22.162.152.1212 > 69.50.166.41.5757: S 1695023104:1695023104(0) win
>16384
>15:43:49.863207 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60:
>166.30.197.105.1819 > 69.50.166.41.8691: S 364511232:364511232(0) win
>16384
>15:43:49.863261 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 33.58.93.205.1451
>>  69.50.166.41.5999: S 83427328:83427328(0) win 16384
>15:43:49.865017 0:6:5b:1e:a0:f6 0:e0:63:4:ca:0 0800 60: 51.28.238.149.1590
>>  69.50.166.41.6667: S 740163584:740163584(0) win 16384


-- 
--------------------------------------------------------------------
Tracey Losco
Network Security Analyst		security at nyu.edu
ITS - Network Services		http://www.nyu.edu/its/security
New York University			(212) 998 - 3433

PGP Fingerprint: 8FFB FE47 6156 7BF0  B19E 462B 9DFE 51F5



More information about the unisog mailing list