Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Strange attack question - seems udp

from [Mihai Tanasescu] Network Security [Permanent Link]
Subject: Re: Strange attack question - seems udp
Date: Tue, 18 Oct 2005 14:21:05 +0300 
Hello,

Thanks for explainning the reason for udp ports not appearing in the tcpdump output.
Well the Cisco 3750 is the gateway for my clients and not the destination host (so I can't figure why it starts choking)

The source IP addresses belong to my clients (those with 86.104 ).

And it usually happens like this:
3/4 ip addresses that belong to my clients contact the same 4-5 ip addresses like the one below (70.84.247.164) and start doing 98% only upload udp traffic.

Is it possibly for a service to do so much upload compared to download ?


Carles Fragoso i Mariscal wrote:

Hi Mihai,

Mihai Tanasescu wrote:


21:00:52.941148 IP (tos 0x0, ttl 127, id 28639, offset 11840, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941271 IP (tos 0x0, ttl 127, id 28639, offset 13320, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941394 IP (tos 0x0, ttl 127, id 28639, offset 14800, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941517 IP (tos 0x0, ttl 127, id 28639, offset 16280, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp
21:00:52.941640 IP (tos 0x0, ttl 127, id 28639, offset 17760, flags [+],
length: 1500) 86.104.102.16 > 70.84.247.164: udp

After receiving many packets like these on 3-4 interfaces, Cisco starts
loosing packets and acts abnormal.

What I find strange is that there is no port specified (src,dst) and
that the length of the packets is always 1500.



It seems to be fragmented traffic. Because the original IP packet
payload is splitted into pieces, layer-4 header (TCP, UDP) is only
included on the first packet. That's the reason you can't see the ports
on IP packets where offset is different than 0.

Does the destination IP belong to the router/multilayer switch?
Reassembling is done on destination host so fragments should only have
impact on router/switch if it is acting as end host. That could be a
reason of poor performance.

---------------------------------------------------------------------
Carlos Fragoso Mariscal - Network & Security Engineer/Incident Handler
Anella Cientifica RREN Incident Response Team (ERIAC) AS13041 CFM1-RIPE
Communications and Operations Dept.-Supercomputing Center of Catalonia
 CCNA    CCNP*    GSEC    GCFW    GCIH    GREM    GHTQ    SSP-MPA
cfragoso@cesca.es phone:+34932056464 pgp:0x0E4EDE07 inocdba:13041*CFM
---------------------------------------------------------------------




[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Odd Increase in Malformed Packets Aimed at Port 0, Steve Porter
Next by Date:  RE: Odd Increase in Malformed Packets Aimed at Port 0, Geo.
Previous by Thread:  Re: Strange attack question - seems udp, Carles Fragoso i Mariscal
Next by Thread:  Re: Strange attack question - seems udp, Christoph Gruber
Indexes:  [Date] [Thread] [Top] [All Lists]