[nsp-sec] BGP issues around the net?
Smith, Donald
Donald.Smith at qwest.com
Fri Jan 25 16:24:33 EST 2008
A fair amount of this is coming from tick.usno.navy.mil so open NTP
servers are being exploited.
I suspect the first packet in this attack is crafted with a spoofed src
ip and udp port=179 that would result in it being directed back towards
a router on udp port 179.
Like I said it is not large and would not have shown up in a normal DDOS
report via arbor or similar system only when I did a query for port 179
did I see it.
The targets (victims) are mostly gateways with router like ip addresses
(.254 etc...).
I don't think the targets do much with this since it is udp to 179 they
might be sending a icmp error msg or may just be silently dropping the
packets.
RM=for(1)
{manage_risk(identify_risk(product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Smith, Donald
> Sent: Friday, January 25, 2008 1:37 PM
> To: jose nazario; nsp-security NSP
> Subject: Re: [nsp-sec] BGP issues around the net?
>
> ----------- nsp-security Confidential --------
>
> Sometimes you just don't see anything till you go looking.
> I don't know if this is related but I am seeing some 179 (bgp) to 123
> (ntp) traffic and vise versa.
>
> It isn't a lot but it is there and shouldn't be:)
> I believe it was PaulV that warned us of spoofed ntp reflected back
> towards bgp sometime last year as a method to cause routers to attack
> each other.
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]))}
> Donald.Smith at qwest.com giac
>
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > jose nazario
> > Sent: Friday, January 25, 2008 10:00 AM
> > To: nsp-security NSP
> > Subject: [nsp-sec] BGP issues around the net?
> >
> > ----------- nsp-security Confidential --------
> >
> > Got a business partner asking me if there have been any BGP
> > attacks in the
> > past few days. I'm not aware of any (looking at a local
> > installation of PfSP
> > I don't see any significant rise in instability), but I
> > thought I would ask.
> >
> > -- jose
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
> >
>
>
> This communication is the property of Qwest and may contain
> confidential or
> privileged information. Unauthorized use of this
> communication is strictly
> prohibited and may be unlawful. If you have received this
> communication
> in error, please immediately notify the sender by reply
> e-mail and destroy
> all copies of the communication and any attachments.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
More information about the nsp-security
mailing list