North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
- From: Todd R. Stroup
- Date: Wed Jun 03 23:55:49 1998
Thanks for all of your responses... but
1) I don't really need the consultants replys saying that you will fix my
problems for $100/hour.
2) This isn't the BIND 8.x.x problem for getting root. For this reason :
ip address 18.104.22.168 255.255.255.224
ip access-group 113 out
Its rather difficult to get BIND to run on a Cisco 7507, although some
people probably have tried to get it to work.
We are viewing this from a cisco router with an access-list that
basically looks like this :
access-list 113 permit ip any any log
Example of the udp port 0 attack :
list 113 permitted udp 22.214.171.124(0) -> 126.96.36.199(0), 1 packet
list 113 permitted udp 188.8.131.52(0) -> 184.108.40.206(0), 1 packet
list 113 permitted udp 220.127.116.11(0) -> 18.104.22.168(0), 1 packet
list 113 permitted udp 22.214.171.124(0) -> 126.96.36.199(0), 1 packet
Example of the DNS (53) attack :
list 113 permitted udp 188.8.131.52(53) -> 184.108.40.206(53), 121 packets
list 113 permitted udp 220.127.116.11(53) -> 18.104.22.168(53), 1 packet
list 113 permitted udp 22.214.171.124(53) -> 126.96.36.199(53), 2 packets
list 113 permitted udp 188.8.131.52(53) -> 184.108.40.206(53), 91 packets
An interesting thing to note is who ever programed this attack used the
same IP addresses in a round robin type fashion for both (or maybe it is
just selectable in the DoS, who knows).
Todd R. Stroup
Fiber Network Solutions, Inc.
> From: Todd R. Stroup [mailto:tstroup@FNSI.NET]
> Sent: Wednesday, June 03, 1998 3:53 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Attack/DoS
> Don't know if it is just me. But over the last 10 hours we have been
> seeing attacks on port 0 from port 0 (both tcp and udp) on several clients
> networks. I have also seen the same attack on port udp 53(DNS).
> Anyone have any information on this?
> Todd R. Stroup
> Fiber Network Solutions, Inc.
> > ---------- Forwarded message ----------
> > Date: Mon, 1 Jun 1998 21:58:17 -0500
> > From: "J.A. Terranson" <sysadmin@MFN.ORG>
> > To: BUGTRAQ@NETSPACE.ORG
> > Subject: (Admittedly Premature) Exploit (?) Warning.
> > While I realize that this issue may not yet be "ripe", as I the folks involved
> > (myself and at least three other sites) have not yet firmly established just
> > *exactly* what is going on here, but...
> > There appears to be some kind of exploit making the rounds that utilizes
> > TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143. These
> > packet traces are right now available only as historical log entries that are
> > *loosely* associated with 2 successful "root" attacks against IMAP enabled
> > servers, an unsuccessful attack against another (ours), and the possible
> > compromise of another.
> > In short, I dont know a lot, other than in the course of reviewing my
> > daily logs, I saw a couple of freaky packets (above) addressed to my
> > nameservers (both of them). They were rejected and logged at the routers,
> > however, as a common courtesy, we notified the admin of the "sending"
> > machine that they had a sick box. As it developed, this person had
> > recieved other emails regarding this from other admins, 2 of which had
> > suffered the successful attacks mentioned above - all of us seeing the
> > originating machine as the same box. It is unknown if the source address was spoofed.
> > Basically, I think this is just a "common-cause" warning to look out
> > for weird packets of this nature, and to take notice if you see any.
> > Rather than keep a running blow-by-blow going on the various lists,
> > please address anything regarding this to me directly...
> > Thanks
> > J.A. Terranson
> > email@example.com