|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Alert: Teardrop2 Attack - Update
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Alert: Teardrop2 Attack - Update
- From: Russ <Russ.CooperRC.ON.CA>
- Date: Tue, 3 Mar 1998 17:56:23 -0500
- Reply-To: Russ <Russ.CooperRC.ON.CA>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
I changed the name of the thread because its rapidly appearing that the attack is not new. Until analysis of sniffer traces prove otherwise, let's assume its Teardrop2. There appears to be two attacks combined here. The first is not a DOS attack, but instead, an attack against DNS. My *opinion* is that the DNS portion is a primer for the DOS portion. Some have reported seeing fragmented UDP traffic on port 53 but this is still unconfirmed. I believe the DNS traffic is an attempt to enumerate IP address for machines listed in the DNS. This enumeration would be trivial (I've seen a perl script that does it). One report indicated that their machines, using DHCP for addressing, were not attacked. The DOS portion of the attack then uses the addresses enumerated to specifically attack machines. Again, in my opinion, the attempt here is to completely shut down a site's Internet accessible machines. Making the attack randomly, and repeatedly, attack machines throughout a domain means that admins are scurrying to and fro trying to keep them up. Another report suggested that the attack is being targeted at discrediting ais.net since the source IP address seems spoofed from there. The longevity of the attacks would indicate that the attackers are either children or unbelievably confident they cannot be traced. I think the former, but hey, who knows. FYI, the source address has been reported now from several sources, it is 199.0.154.13. If you are running a Firewall, and can log failed attempts, try filtering out DNS request from that address. If the attackers already have your IP address information (and one site reported they thought this information was gathered as much as a month ago) it may not make a difference. As I said earlier, port 4000 still seems to be the originating port (other than the port 53 traffic). Keep those reports coming. I'm still looking for folks to confirm the attack failed on a machine patched with Teardrop2-fix. I doubt that most of you can really appreciate just how wide-spread this particular attack is, IT'S HUGE!! Cheers, Russ
- Prev by Date: Re: Alert: New Teardrop Attack
- Next by Date: Re: Alert: Teardrop2 Attack - Update
- Prev by thread: Re: Alert: New Teardrop Attack
- Next by thread: Re: Alert: Teardrop2 Attack - Update
- Index(es):