|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: 85.85.85.85 weirdness
From: Corbin Siddall (Csiddall
AREAWIDENET.COM)Date: Wed Jul 19 2000 - 09:02:50 CDT
- Next message: Jason Lewis: "Re: Sudden increase in scans."
- Previous message: Jason Spence: "DDoSed"
- Maybe in reply to: Wozz: "85.85.85.85 weirdness"
- Next in thread: David Meissner: "Re: 85.85.85.85 weirdness"
- Maybe reply: Corbin Siddall: "Re: 85.85.85.85 weirdness"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I have seen the LAND 85.85.85.85 attacks on our network a few months back. We were having a problem with one of our routers at the same time. When I swapped out the router, NFR no longer picked up those messages.
-------------------------------------------------------------
Corbin B. Siddall, MCSE, CCNA, CCDA, CCA
Senior Network Engineer
Area-Wide Networking Technologies, INC.
"Let the Ring of Excellence keep your 'Net' working!"
Web: http://www.areawidenet.com
Phone: 217.359.8041
FAX: 217.359.8113
>>> Wozz <wozz+incidentswookie.net> 07/18/00 08:37PM >>>
Anyone have any idea what I might be seeing here? I just turned up an NFR
probe at Exodus in DC, and I'm seeing all sorts of traffic as follows
NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 1
Src Port: 0
DST Port: 0
ICMP Type: 85
ICMP Code: 85
Packet:
E\\x00\\x008\\x80\\x1e\\x00\\x00\\x01\\x01UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1
I also get occasional variations as follows
NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 6
Src Port: 21845
DST Port: 21845
ICMP Type: 0
ICMP Code: 0
Packet:
E\\x00\\x02`\\xc6\\x01\\x00\\xff\\x06\\xd7\\xf6UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1
and
NFR: dc-probefe
Source: 85.85.85.85
Destination: 85.85.85.85
Type of attack: Land
Protocol: 17
Src Port: 21845
DST Port: 21845
ICMP Type: 0
ICMP Code: 0
Packet:
E\\x00\\x00""\\xe1\\xd3\\x00\\x00\\x11\\x12UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Count: 1
My probe is sitting in front of my firewall box, and when I do a tcpdump on
my firewall searching for any of these packets, nothing comes up. The only
thing I can figure is that this is some sort of weird packet thats being
misinterpreted by NFR. Perhaps some sort of ethernet broadcast being used
by Exodus's Foundry VLAN's?
Just curious if anyone else has seen anything like this on an NFR system or
otherwise.
****************************************************************
TO POST A MESSAGE on this list, send it to nfr-usersnfr.net.
TO UNSUBSCRIBE from this list, send the following text in the
message body (not subject line) to majordomonfr.net
unsubscribe nfr-users Your-Email-Address
****************************************************************
- Next message: Jason Lewis: "Re: Sudden increase in scans."
- Previous message: Jason Spence: "DDoSed"
- Maybe in reply to: Wozz: "85.85.85.85 weirdness"
- Next in thread: David Meissner: "Re: 85.85.85.85 weirdness"
- Maybe reply: Corbin Siddall: "Re: 85.85.85.85 weirdness"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]