[nsp-sec] ICMP packet love (AUSCERT#20082a5b7)

Smith, Donald Donald.Smith at qwest.com
Wed Jul 2 15:44:29 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Robert Lowe
> Sent: Monday, June 30, 2008 2:47 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] ICMP packet love (AUSCERT#20082a5b7)
> 
> ----------- nsp-security Confidential --------
> 
> 
> Hi NSP-SEC,
> 
> We suffered a DDoS during the last couple of days. Lots of 
> ICMP (but some TCP) 
> and big spikes of up to 100K pps, then tapering off to around 
> 1000 pps. This 
> was directed at 203.5.112.28, our NAT'd address  (not our web 
> server or MX).
> 
> Example pcap:
> 
> 07:28:13.753794 IP 208-46-106-5.dia.static.qwest.net > 
> gw.auscert.org.au: icmp 
> 40: echo request seq 1280
40 octet (60 with the ethernet header), echo request with sequence
number of 1280.
Yep that is storm worm packet love.

>         0x0000:  4500 003c dad3 0000 cb01 9f97 d02e 6a05  
> E..<..........j.
>         0x0010:  cb05 701c 0800 02ab 7dad 0500 6162 6364  
> ..p.....}...abcd
>         0x0020:  6566 6768 696a 6b6c 6d6e 6f70 7172 0000  
> efghijklmnopqr..
>         0x0030:  84a2 d000 7ca2 d000 4ca2 d000            ....|...L...
> 
> And we have flows:
> 
> https://asn.cymru.com/nsp-sec/upload/1214814706.whois.txt
> 
> In this file, I've included flows with more than 1000 
> packets. Many IPs had 
> multiple flows - and am happy to provide these on request. 
> Timestamps are 
> GMT+10.
> 
> Is this similar to what you get after poking storm and is it 
> automated? AFAIK, 
> we haven't been doing anything provocative towards storm 
> infected hosts, apart 
> from downloading their malware.
> 
> If anyone can share any insight in to this attack, it would 
> be appreciated. Just let me know if you need any more info.
> 
> Thanks in advance,
> Rob.
> 
> -- 
> Robert Lowe, Security Analyst       | Hotline: +61 7 3365 4417
> AusCERT, Australia's national CERT  | Fax:     +61 7 3365 7031
> The University of Queensland        | WWW:     www.auscert.org.au
> QLD 4072 Australia                  | Email:   auscert at auscert.org.au
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list