Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Denial of service in mibiisa? Possible "newsmurf"?

Denial of service in mibiisa? Possible "newsmurf"?

Erik Parker (netmask303.ORG)
Mon, 16 Nov 1998 14:25:11 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Marc Heuse: "Re: Xinetd /tmp race? (long)"
Previous message: HD Moore: "KDE 1.0's klock can be used to gain root priveledges"

Today one of our networks was almost destroyed by an attack,
which appeared to effect SNMP, and was machine specific, packets
came into one of our machines, and dropped the network. We called our
upstream, and they told us that 100% of our T3 was filled. On an average
day we use maybe 15M, but it was maxing it to 45. After not being able
to get any response from the machine, and unplugging the ethernet,
we could login via console, and noticed "mibiisa" was running using 98%
CPU usage.

We run the command with "mibiisa -p 32811"

Our upstream thought it was a smurf, however a smurf wouldn't have
attacked just snmp. From just the small amount of logs that they sent
us, there were 203 unique hosts that sent the attack. Logs looking like
this:

Nov 16 13:15:28: %SEC-6-IPACCESSLOGP: list 105 permitted tcp
1.1.1.1(0) -> 0.0.0.0(0), 1 packet


I had heard that there were alteration of the "smurf" attack, but
could this be one of them?


*---------------------*
| Erik Parker         |
| netmask303.org     |
| IDC NetOps          |
*---------------------*
                 |
        *--------------------------------*
        |  http://www.303.org/           |
        |  ICQ # 9780056                 |
        |  talk netmaskspiff.idir.net   |
        *--------------------------------*

Next message: Marc Heuse: "Re: Xinetd /tmp race? (long)"
Previous message: HD Moore: "KDE 1.0's klock can be used to gain root priveledges"