OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Glenn Forbes Fleming Larratt (glrattio.com)
Date: Thu Feb 28 2002 - 21:12:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In our educational Class B (obfuscated as 299.299.0.0/16 below), we've
    seen a much higher than normal incidence,

    1. in the last week or two, of what appear to be smurf attempts, e.g.
    (mildly filtered Cisco syslogs):

    Feb 28 19:29:55 tcp 217.59.20.181(21) -> 299.299.0.255(21), 1 packet
    Feb 28 19:29:58 tcp 217.59.20.181(21) -> 299.299.1.255(21), 1 packet
    Feb 28 19:30:00 tcp 217.59.20.181(21) -> 299.299.2.255(21), 1 packet
            :
            :
    Feb 28 19:37:07 tcp 217.59.20.181(21) -> 299.299.248.255(21), 1 packet
    Feb 28 19:37:10 tcp 217.59.20.181(21) -> 299.299.250.255(21), 1 packet
    Feb 28 19:37:16 tcp 217.59.20.181(21) -> 299.299.253.255(21), 1 packet

    2. in the last three days, of indications of our address space being
    spoofed in huge quantity, presumably as part of DoS, decoy scanning,
    or other nastiness, e.g. (tcpdump -vv of Snort binary logs, in many
    cases implying "stimulus" hosts that don't exist in out network
    [subnets 108 and 93 are unallocated within our Class B]):

    02/28 16:06:33.293696 208.184.231.250 > 299.299.108.141: icmp: host 207.78.169.4 unreachable for 299.299.108.141.1171 > 207.78.169.4.1024: [|tcp] (DF) (ttl 123, id 38089, len 48) (ttl 248, id 0, len 56)
    02/28 16:06:52.377804 208.184.231.250 > 299.299.93.170: icmp: host 207.78.169.4 unreachable for 299.299.93.170.1170 > 207.78.169.4.1219: [|tcp] (DF) (ttl 123, id1165, len 48) (ttl 248, id 0, len 56)

    Has anyone seen similar behavior?

            -g

    -- 
    Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
    glrattio.com                        http://www.io.com/~glratt  
    There are imaginary bugs to chase in heaven.
    

    ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com