[nsp-sec] ICMP packet love (AUSCERT#20082a5b7)
Robert Lowe
rlowe at auscert.org.au
Mon Jun 30 04:46:46 EDT 2008
Hi NSP-SEC,
We suffered a DDoS during the last couple of days. Lots of ICMP (but some TCP)
and big spikes of up to 100K pps, then tapering off to around 1000 pps. This
was directed at 203.5.112.28, our NAT'd address (not our web server or MX).
Example pcap:
07:28:13.753794 IP 208-46-106-5.dia.static.qwest.net > gw.auscert.org.au: icmp
40: echo request seq 1280
0x0000: 4500 003c dad3 0000 cb01 9f97 d02e 6a05 E..<..........j.
0x0010: cb05 701c 0800 02ab 7dad 0500 6162 6364 ..p.....}...abcd
0x0020: 6566 6768 696a 6b6c 6d6e 6f70 7172 0000 efghijklmnopqr..
0x0030: 84a2 d000 7ca2 d000 4ca2 d000 ....|...L...
And we have flows:
https://asn.cymru.com/nsp-sec/upload/1214814706.whois.txt
In this file, I've included flows with more than 1000 packets. Many IPs had
multiple flows - and am happy to provide these on request. Timestamps are
GMT+10.
Is this similar to what you get after poking storm and is it automated? AFAIK,
we haven't been doing anything provocative towards storm infected hosts, apart
from downloading their malware.
If anyone can share any insight in to this attack, it would be appreciated. Just let me know if you need any more info.
Thanks in advance,
Rob.
--
Robert Lowe, Security Analyst | Hotline: +61 7 3365 4417
AusCERT, Australia's national CERT | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
QLD 4072 Australia | Email: auscert at auscert.org.au
More information about the nsp-security
mailing list