Questionable packets, need help

Questionable packets, need help

Post by Leonard Even » Sat, 09 Jun 2001 09:11:07



One of our users got a complaint from a distant site that
his machine was sending packets which the remote site's firewall
was rejecting.   The person at the remote site wanted to know
why.   tcpdump, which we are just now learning to use, confirmed
out machine was sending packets out to a variety of sites.

We reinstalled the OS after formatting the disk and ran it without
the /home partition mounted.  But that did not resolve the problem,
tcpdump still showed packets being sent out.   We also tried some
other measures I won't go into here.   But after some further
investigation, we saw that each time there was an incoming (icmp)
packet, our machine just responded to the (apparent)
ip address of the source machine.  It is quite possible, perhaps
even likely, that this was the case all along, since we could find
no evidence of tampering in the first place.

I can envision two possibilities here.  (1) The source machines
had been compromised and were all aiming an attack at our machine
(which was running a web server).  (2) Someone was sending packets
with many false ip addresses to our machine which was responding.

We would appreciate any comments on what may be happening, and
any ideas for countermeasures.

As a postscript, let me add that several machines on our campus
had web sites atacked and made to post anti Chinese obscenities.
But that had not happened to the machine discussed above.

--


Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208

 
 
 

Questionable packets, need help

Post by Tr?ütm » Sat, 09 Jun 2001 09:44:35



Quote:>I can envision two possibilities here.  (1) The source machines
>had been compromised and were all aiming an attack at our machine
>(which was running a web server).  (2) Someone was sending packets
>with many false ip addresses to our machine which was responding.

>We would appreciate any comments on what may be happening, and
>any ideas for countermeasures.

What type of packets were hitting the distant firewall?  Were they icmp
packets?  If so - what type of icmp?  It is possible someone was sending
source forged packets to your server, which was responding normally to
them.  If you don't require icmp responses, use a chain or table to drop
all icmp to stop the packets.  The same attack could be done with tcp and
udp - a simple DOS attack.  There really isn't much you can do to stop it
unfortunately.

--
______________________________
Mike Troutman
        http://www.troutman.org
        http://www.zen-data.com

 
 
 

Questionable packets, need help

Post by Ian Jone » Sat, 09 Jun 2001 09:43:48


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Quote:> One of our users got a complaint from a distant site that
> his machine was sending packets which the remote site's firewall
> was rejecting.   The person at the remote site wanted to know
> why.   tcpdump, which we are just now learning to use, confirmed
> out machine was sending packets out to a variety of sites.

> We reinstalled the OS after formatting the disk and ran it without
> the /home partition mounted.  But that did not resolve the problem,
> tcpdump still showed packets being sent out.   We also tried some
> other measures I won't go into here.   But after some further
> investigation, we saw that each time there was an incoming (icmp)
> packet, our machine just responded to the (apparent)
> ip address of the source machine.  It is quite possible, perhaps
> even likely, that this was the case all along, since we could find
> no evidence of tampering in the first place.

> I can envision two possibilities here.  (1) The source machines
> had been compromised and were all aiming an attack at our machine
> (which was running a web server).  (2) Someone was sending packets
> with many false ip addresses to our machine which was responding.

> We would appreciate any comments on what may be happening, and
> any ideas for countermeasures.

Without seeing a packet dump of the traffic in question, it is hard to be
of much assistance. You might want to insert a network IDS onto the segment
where this is going on and see if you can figure it out. Stick a snort node
in there and the standard (or rather, included basic) ruleset will probably
catch and report your traffic to you if it is malicious. Of course, tcpdump
is doing pretty much the same thing, but it's filtering (selection)
abilities are much more primitive.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOyAfwcAVSpfzXItKEQL1pgCg3f+45N2iJqD2ZYthP7aP+earc90AoJBQ
u5Lokjfblo/acsJ/ilru9SJ7
=8zLn
-----END PGP SIGNATURE-----

 
 
 

Questionable packets, need help

Post by Leonard Even » Sat, 09 Jun 2001 09:39:19



> One of our users got a complaint from a distant site that
> his machine was sending packets which the remote site's firewall
> was rejecting.   The person at the remote site wanted to know
> why.   tcpdump, which we are just now learning to use, confirmed
> out machine was sending packets out to a variety of sites.

> We reinstalled the OS after formatting the disk and ran it without
> the /home partition mounted.  But that did not resolve the problem,
> tcpdump still showed packets being sent out.   We also tried some
> other measures I won't go into here.   But after some further
> investigation, we saw that each time there was an incoming (icmp)
> packet, our machine just responded to the (apparent)
> ip address of the source machine.  It is quite possible, perhaps
> even likely, that this was the case all along, since we could find
> no evidence of tampering in the first place.

> I can envision two possibilities here.  (1) The source machines
> had been compromised and were all aiming an attack at our machine
> (which was running a web server).  (2) Someone was sending packets
> with many false ip addresses to our machine which was responding.

> We would appreciate any comments on what may be happening, and
> any ideas for countermeasures.

> As a postscript, let me add that several machines on our campus
> had web sites atacked and made to post anti Chinese obscenities.
> But that had not happened to the machine discussed above.

> --


> Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208

I should add that the incoming packets involved daytime, which
in fact was not activated on our machine.
--


Dept. of Mathematics, Northwestern Univ., Evanston, IL 60208

 
 
 

1. Firewall dropping Kazaa UDP packets it shouldn't -- Need help

Hi

I am trying to get kanat to work -- This allows you to run a kazaa
machine behind a firewall.  

All you have to do is forward both the UDP and the TCP port of your
choice to the kazaa machine behind your NAT.

OK, no problem.  But if I completely open up my firewall, and just
turn on forwarding, then it works.

But, if I turn on port forwarding in my normal software package
(firestater), then only half of the UDP packets come through.  The
rest are dropped.

I'm dying for a decent kazaa machine.  Can anyone help me figure out
what rule in Firestater is causing only some of the UDP packets to be
dropped?

I don't even know where to start.

Thanks,
Greg

2. Sanyo CD ROM Problem

3. need help with Packet mode

4. Motif freebsd.cf file for FreeBSD 3.2

5. Need help reading ipchains packet log.

6. Beginner: What are color names in xterm??

7. Help needed with packet filtering / bandwidth shaping

8. *Excellent* article on the success of Linux

9. HELP NEEDED:packet filtering, kernel module programing

10. Need help setting up packet forwarding or DHCP with 3 Nics

11. Need help with IP Masquerading and UDP packets

12. need help forwarding packets to lan

13. Need help on how linux/unix manages packets