|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steve Gibson (bugtraq
grc.com)Date: Fri Feb 15 2002 - 13:30:40 CST
Dave,
> > Or RST for instance if the port is closed. Read : Spoofed Packet
>
>Right. Spoofing is what allows the reflection to work. The
>reflection is blindly done against any of a number of services
>believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a
>router, as in Steve's case). Some routers don't have all services
>running, so SYN RSTs are sent. Others do, so you only see SYN ACKs
>sent out.
I think there might be a bit more preparation going on than would be
evident from your characterization that "the reflection is blindly done."
My analysis of the attack revealed some RSTs among the SYN/ACKs, but those
RSTs were the very few and far between, and they were not from the same IPs
as the SYN/ACKs.
So, it did not look as though a list of routers (probably easily gleaned
from traceroutes), was being sprayed with SYN's aimed at an array of
typical router services.
And, there were other non-router machines involved, such as a collection of
Yahoo.com web servers and even a machine whose IP resolved to
"gary7.nsa.gov" (gotta love that Star Trek reference. :)
My take on the attack/tool is that some deliberate collection of open TCP
ports on well-connected machines is being done in advance, and that list is
then used to drive a SYN spraying utility of some form.
Given the other replies here, it appears that one of the resulting lists
may be shared among multiple attackers.
In case you guys are curious, here's the list of 202 routers that were
flooding us from their BGP port 179 ...
>-------------------------------------------------------------------
129.250. 28. 1 ge-6-2-0.r03.sttlwa01.us.bb.verio.net
129.250. 28. 3 ge-1-0-0.a07.sttlwa01.us.ra.verio.net
129.250. 28. 20 ge-0-1-0.a12.sttlwa01.us.ra.verio.net
129.250. 28. 33 ge-0-0-0.r00.bcrtfl01.us.bb.verio.net
129.250. 28. 49 ge-1-1-0.r01.bcrtfl01.us.bb.verio.net
129.250. 28. 98 ge-1-2-0.r00.sfldmi01.us.bb.verio.net
129.250. 28. 99 ge-1-0-0.a00.sfldmi01.us.ra.verio.net
129.250. 28.100 ge-1-1-0.a01.sfldmi01.us.ra.verio.net
129.250. 28.113 ge-1-2-0.r01.sfldmi01.us.bb.verio.net
129.250. 28.116 ge-1-1-0.a00.sfldmi01.us.ra.verio.net
129.250. 28.117 ge-1-0-0.a01.sfldmi01.us.ra.verio.net
129.250. 28.131 ge-0-3-0.a00.scrmca01.us.ra.verio.net
129.250. 28.142 ge-0-2-0.r00.scrmca01.us.bb.verio.net
129.250. 28.147 ge-1-2-0.a00.scrmca01.us.ra.verio.net
129.250. 28.158 ge-0-2-0.r01.scrmca01.us.bb.verio.net
129.250. 28.164 ge-1-0-0.a10.dllstx01.us.ra.verio.net
129.250. 28.165 ge-1-0-0.a11.dllstx01.us.ra.verio.net
129.250. 28.190 ge-6-0-0.r01.dllstx01.us.bb.verio.net
129.250. 28.200 ge-0-2-0.a00.snjsca03.us.ra.verio.net
129.250. 28.201 ge-0-2-0.a01.snjsca03.us.ra.verio.net
129.250. 28.221 ge-2-1-0.r04.snjsca03.us.bb.verio.net
129.250. 28.230 ge-1-1-0.a00.snjsca03.us.ra.verio.net
129.250. 28.231 ge-1-1-0.a01.snjsca03.us.ra.verio.net
129.250. 28.254 ge-2-1-0.r01.snjsca03.us.bb.verio.net
205.171. 31. 1 iah-core-01.inet.qwest.net
205.171. 31. 2 iah-core-02.inet.qwest.net
205.171. 31. 5 iah-core-01.inet.qwest.net
205.171. 31. 6 iah-core-03.inet.qwest.net
205.171. 31. 9 iah-core-01.inet.qwest.net
205.171. 31. 13 iah-core-01.inet.qwest.net
205.171. 31. 17 iah-core-01.inet.qwest.net
205.171. 31. 21 iah-core-01.inet.qwest.net
205.171. 31. 25 iah-core-02.inet.qwest.net
205.171. 31. 33 iah-core-01.inet.qwest.net
205.171. 31. 37 iah-core-01.inet.qwest.net
205.171. 31. 41 iah-core-02.inet.qwest.net
205.171. 31. 53 iah-core-02.inet.qwest.net
205.171. 31. 57 iah-core-03.inet.qwest.net
205.171. 31. 61 iah-core-02.inet.qwest.net
205.171. 31. 81 iah-core-03.inet.qwest.net
206. 79. 9. 2 globalcrossing-px.exodus.net
206. 79. 9.114 exds-wlhm.gblx.net
206. 79. 9.210 telefonica-px.exodus.net
208.184.232. 13 core1-atl4-oc48-2.atl2.above.net
208.184.232. 17 core2-atl4-oc48.atl2.above.net
208.184.232. 21 core1-atl4-oc48.atl2.above.net
208.184.232. 25 core2-core1-oc48.atl2.above.net
208.184.232. 45 core1-core2-oc192.sfo1.above.net
208.184.232. 46 core2-core1-oc192.sfo1.above.net
208.184.232. 54 sfo1-sjc2-oc48-2.sfo1.above.net
208.184.232. 57 ord2-sea1-oc48-2.ord2.above.net
208.184.232. 58 sea1-ord2-oc48-2.sea1.above.net
208.184.232. 97 bos2-dca2-oc48.bos2.above.net
208.184.232. 98 dca2-bos2-oc48.dca2.above.net
208.184.232.101 bos2-dca2-oc48-2.bos2.above.net
208.184.232.102 dca2-bos2-oc48-2.dca2.above.net
208.184.232.109 core1-dfw3-oc48.dfw2.above.net
208.184.232.110 core1-dfw2-oc48.dfw3.above.net
208.184.232.113 core2-dfw3-oc48.dfw2.above.net
208.184.232.114 core2-dfw2-oc48.dfw3.above.net
208.184.232.118 core1-dfw1-oc48.dfw2.above.net
208.184.232.126 sfo1-sjc2-oc48.sfo1.above.net
208.184.232.133 dca2-dfw2-oc48-2.dca2.above.net
208.184.232.134 dfw2-dca2-oc48-2.dfw2.above.net
208.184.232.145 ord2-bos2-oc48.ord2.above.net
208.184.232.146 bos2-ord2-oc48.bos2.above.net
208.184.232.149 lga1-ord2-oc48.lga1.above.net
208.184.232.150 ord2-lga1-oc48.ord2.above.net
208.184.232.157 atl2-lga2-oc48.atl2.above.net
208.184.232.158 lga2-atl2-oc48.lga2.above.net
208.184.232.165 atl2-lga2-oc48-2.atl2.above.net
208.184.232.166 lga2-atl2-oc48-2.lga2.above.net
208.184.232.177 sjc3-pao1-oc12.above.net
208.184.232.189 bos2-lga2-oc48.bos2.above.net
208.184.232.190 lga2-bos2-oc48.lga2.above.net
208.184.232.193 bos2-lga2-oc48-2.bos2.above.net
208.184.232.194 lga2-bos2-oc48-2.lga2.above.net
208.184.232.197 core2-lga2-oc192.lga1.above.net
208.184.232.198 core2-lga1-oc192.lga2.above.net
208.184.233. 46 ord2-sjc2-oc48.ord2.above.net
208.184.233. 50 core2-sjc2-oc48.sjc3.above.net
208.184.233. 61 iad1-lga1-oc192-2.iad1.above.net
208.184.233. 62 lga1-iad1-oc192-2.lga1.above.net
208.184.233. 65 iad1-lga1-oc192.iad1.above.net
208.184.233. 66 lga1-iad1-oc192.lga1.above.net
208.184.233. 81 core1-main1colo56-oc48.sea2.above.net
208.184.233. 85 core1-main2colo56-oc48.sea2.above.net
208.184.233. 89 core2-main1colo56-oc48.sea2.above.net
208.184.233. 93 core2-main2colo56-oc48.sea2.above.net
208.184.233.101 core1-core2-oc192.sea2.above.net
208.184.233.102 core2-core1-oc192.sea2.above.net
208.184.233.105 core2-sea2-oc192.sea1.above.net
208.184.233.106 core2-sea1-oc192-2.sea2.above.net
208.184.233.121 core1-core2-oc192.dca2.above.net
208.184.233.126 iad1-dca2-oc192.iad1.above.net
208.184.233.129 dca2-iad1-oc192.dca2.above.net
208.184.233.130 iad1-dca2-oc192.iad1.above.net
208.184.233.134 dca2-sjc2-oc48.dca2.above.net
208.184.233.150 ord2-dfw2-oc48.ord2.above.net
208.184.233.174 globalcenter-above.iad2.above.net
208.184.233.189 sea1-nrt3-stm1.sea1.above.net
208.184.233.190 nrt3-sea1-stm1.nrt3.above.net
208.184.233.193 sea1-nrt3-stm1-3.sea1.above.net
208.184.233.194 nrt3-sea1-stm1-3.nrt3.above.net
208.184.233.197 core1-main1-oc12.nrt3.above.net
208.184.233.201 core1-main2-oc12.nrt3.above.net
208.184.233.205 core2-main1-oc12.nrt3.above.net
208.184.233.209 core2-main2-oc12.nrt3.above.net
208.184.233.217 core2-core3-oc48.lga1.above.net
208.184.233.225 core2-v6core3-oc3.nrt3.above.net
208.184.233.237 core1-oc192-core2.bos2.above.net
208.184.233.238 core2-oc192-core1.bos2.above.net
208.185. 0. 25 core5-dlr-oc3.iad1.above.net
208.185. 0.113 core5-main1-oc48.iad1.above.net
208.185. 0.117 core5-main2-oc48.iad1.above.net
208.185. 0.121 core4-iad4-oc48.iad1.above.net
208.185. 0.133 core5-iad4-oc48.iad1.above.net
208.185. 0.138 core4-core1-oc48.iad1.above.net
208.185. 0.142 core4-core3-oc48.iad1.above.net
208.185. 0.146 core5-core1-oc48.iad1.above.net
208.185. 0.150 core5-core3-oc48.iad1.above.net
208.185. 0.153 core4-main1-oc48.iad1.above.net
208.185. 0.157 core4-main2-oc48.iad1.above.net
208.185. 0.165 core1-core2-oc48.lga3.above.net
208.185. 0.166 core2-core1-oc48.lga3.above.net
208.185. 0.169 core1-lga3-oc12.lga1.above.net
208.185. 0.170 core1-lga1-oc12.lga3.above.net
208.185. 0.173 core1-core3-oc3-2.lga3.above.net
208.185. 0.177 core2-core3-oc3.lga3.above.net
208.185. 0.189 core1-core3-oc48.ord2.above.net
208.185. 0.193 core2-core3-oc48.ord2.above.net
208.185. 0.197 core1-ord1-oc48.ord2.above.net
208.185. 0.202 core2-ord1-oc48.ord2.above.net
208.185. 0.221 core1-core3-oc48.atl2.above.net
208.185. 0.225 core2-core3-oc48.atl2.above.net
208.185. 0.229 dca2-atl2-oc48-2.dca2.above.net
208.185. 0.230 atl2-dca2-oc48-2.atl2.above.net
208.185. 0.233 core1-core2-oc192.lga1.above.net
208.185. 0.234 core2-core1-oc192.lga1.above.net
208.185. 0.237 core1-core3-oc48.lga1.above.net
208.185. 0.245 core1-lga2-oc192.lga1.above.net
208.185. 0.246 core1-lga1-oc192.lga2.above.net
208.185. 0.249 core1-dfw2-oc48.atl2.above.net
208.185. 0.250 core1-atl2-oc48.dfw2.above.net
208.185.156. 2 core2-lhr1-stm16.lhr3.above.net
208.185.156. 65 core3-core5-oc48.sjc2.above.net
208.185.156.121 core2-sea2-oc192-2.sea1.above.net
208.185.156.122 core1-sea1-oc192-2.sea2.above.net
208.185.156.157 ord2-lga1-oc48-2.ord2.above.net
208.185.156.158 lga1-ord2-oc48-2.lga1.above.net
208.185.156.189 core3-main1colo7-oc12.sjc2.above.net
208.185.156.193 core4-main2colo7-oc12.sjc2.above.net
208.185.175. 90 ord2-sea1-oc48.ord2.above.net
208.185.175. 93 core3-core4-oc3.sea1.above.net
208.185.175.114 earthlink-above.lax.above.net
208.185.175.145 core1-core2-oc192.sjc3.above.net
208.185.175.146 core2-core1-oc192.sjc3.above.net
208.185.175.149 core2-sjc4-oc192.sjc3.above.net
208.185.175.158 core1-sjc2-oc48.sjc3.above.net
208.185.175.178 core2-core1-oc48.sea1.above.net
208.185.175.182 core3-core1-oc48.sea1.above.net
208.185.175.189 core1-main1colo56-oc48.sjc3.above.net
208.185.175.193 core1-main2colo56-oc48.sjc3.above.net
208.185.175.197 core2-main1colo56-oc48.sjc3.above.net
208.185.175.201 core2-main2colo56-oc48.sjc3.above.net
216.200.127. 9 core4-iad5-oc48.iad1.above.net
216.200.127. 13 core5-iad5-oc48.iad1.above.net
216.200.127. 26 sjc2-iad1-oc48.sjc2.above.net
216.200.127. 29 core4-epe1-oc3.iad1.above.net
216.200.127. 33 core5-epe1-oc3.iad1.above.net
216.200.127. 45 core1-epe1-oc3.lga1.above.net
216.200.127. 49 core2-epe1-oc3.lga1.above.net
216.200.127. 61 iad1-lga1-oc48-2.iad1.above.net
216.200.127. 62 lga1-iad1-oc48-2.lga1.above.net
216.200.127. 65 lga1-sea1-oc48.lga1.above.net
216.200.127. 66 sea1-lga1-oc48.sea1.above.net
216.200.127. 69 lga1-lhr1-stm4-3.lga1.above.net
216.200.127.118 sea1-sjc2-oc48.sea1.above.net
216.200.127.145 core1-core2-oc192.lga2.above.net
216.200.127.146 core2-core1-oc192.lga2.above.net
216.200.127.149 core1-core3-oc48.lga2.above.net
216.200.127.153 core1-main1colo45-oc48.lga2.above.net
216.200.127.157 core1-main2colo45-oc48.lga2.above.net
216.200.127.161 core1-main1colo678-oc48.lga2.above.net
216.200.127.165 core1-main2colo678-oc48.lga2.above.net
216.200.127.169 core2-core3-oc48.lga2.above.net
216.200.127.173 core2-main1colo45-oc48.lga2.above.net
216.200.127.177 core2-main2colo45-oc48.lga2.above.net
216.200.127.181 core2-main1colo678-oc48.lga2.above.net
216.200.127.185 core2-main2colo678-oc48.lga2.above.net
216.200.127.189 core1-main1-oc48.lga1.above.net
216.200.127.194 core1-main2-oc48.lga1.above.net
216.200.127.197 core2-main1-oc48.lga1.above.net
216.200.127.201 core2-main2-oc48.lga1.above.net
216.200.127.205 dfw2-dca2-oc48.dfw2.above.net
216.200.127.206 dca2-dfw2-oc48.dca2.above.net
216.200.127.209 core1-core2-oc192.dfw2.above.net
216.200.127.210 core2-core1-oc192.dfw2.above.net
216.200.127.213 core1-core3-oc48.dfw2.above.net
216.200.127.217 core2-core3-oc48.dfw2.above.net
216.200.127.225 atl2-dfw2-oc48.atl2.above.net
216.200.127.226 dfw2-atl2-oc48.dfw2.above.net
______________________________________________________________________
Steve.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]