Attack/DoS

John_Fraizer1 · June 4, 1998, 2:25pm

Perry,

Here are some logs of slightly different format that show the same attack
Todd writes about:

Jun 3 17:02:47 eth0-core0 kernel: IP acct in eth0 UDP 199.199.125.28:53
209.115.17.67:53 L=57 S=0x00 I=47916 F=0x0000 T=49
Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth2 UDP 199.199.125.28:53
209.115.17.67:53 L=57 S=0x00 I=47916 F=0x0000 T=48
Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
199.199.125.28 L=119 S=0xC0 I=63767 F=0x0000 T=64
Jun 3 17:02:47 eth0-core0 kernel: IP acct in eth0 UDP 165.113.1.73:53
209.115.17.66:53 L=56 S=0x00 I=25895 F=0x0000 T=57
Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth2 UDP 165.113.1.73:53
209.115.17.66:53 L=56 S=0x00 I=25895 F=0x0000 T=56
Jun 3 17:02:47 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
165.113.1.73 L=118 S=0xC0 I=63769 F=0x0000 T=64
Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 166.93.1.3:63098
209.115.17.66:53 L=56 S=0x00 I=44767 F=0x0040 T=245
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 166.93.1.3:63098
209.115.17.66:53 L=56 S=0x00 I=44767 F=0x0040 T=244
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
166.93.1.3 L=118 S=0xC0 I=63770 F=0x0000 T=64
Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 198.81.19.238:4569
209.115.17.66:53 L=59 S=0x00 I=34977 F=0x0000 T=20
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 198.81.19.238:4569
209.115.17.66:53 L=59 S=0x00 I=34977 F=0x0000 T=19
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
198.81.19.238 L=121 S=0xC0 I=63771 F=0x0000 T=64
Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 128.112.129.15:56224
209.115.17.66:53 L=58 S=0x00 I=50842 F=0x0040 T=247
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP
128.112.129.15:56224 209.115.17.66:53 L=58 S=0x00 I=50842 F=0x0040 T=246
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth0 ICMP/3 209.115.17.65
128.112.129.15 L=120 S=0xC0 I=63772 F=0x0000 T=64
Jun 3 17:02:48 eth0-core0 kernel: IP acct in eth0 UDP 158.152.1.81:53
209.115.17.67:53 L=56 S=0x00 I=21310 F=0x0000 T=53
Jun 3 17:02:48 eth0-core0 kernel: IP acct out eth2 UDP 158.152.1.81:53
209.115.17.67:53 L=56 S=0x00 I=21310 F=0x0000 T=52

The thing that makes it "interesting" is the fact that most implementations
DO send an ICMP unreach back. The ICMP Unreach traffic alone generated in
the neighborhood of 1.7Mb before they routed the netblock in question to a
loopback interface on the 7507. The attacker was sending less that 300Kb
of traffic and consuming 2Mb.