Firewall Wizards mailing list archives

Re: Spoofed SMTP _outbound_

From: ant () notatla demon co uk (Antonomasia)
Date: Thu, 17 Jan 2002 21:21:18 +0000 (GMT)

From: "Jay Epperson" <jepperso () mail vak12ed edu>

We're seeing source-spoofed traffic outbound from one of our segments to
the SMTP port on a variety of outside addresses.  The denials are like:

denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets

(not the real network numbers)
Where the source address cycles through all addresses on the IP segment
(1-254) and the destination stays fixed through such a run.  Since the
majority of the source addresses don't actually exist on our network, it 
smells like part of a DOS, or a one-way vulnerability attack intended to 
open up access to the target from somewhere besides here.


If it's really trying to open a hole in the style of reverse telnet doesn't
it need either an accurate source address or a promiscuous interface ?  I'd
consider looking for a promiscuous interface as well as using a sniffer to
lead back to the suspects.   Eventually unplugging a box may sort it out but
if the activity is intermittent it could be slow going.

You could divert the outgoing traffic to a machine of your own to watch
what it does.  If it's simple-minded enough you might learn some strings
to search for in all your binaries, and to publish.

                                                           Still working 
to capture enough information to identify the actual source platform, but 
if anyone can tell us what kind of animal we might be tracking, it could 
help.  Boxes on the segment are all either Linux (new), HP-UX (mature), or 
AIX (ancient).


Arkin's passive traffic identification might help here.   Different TTLs
and source ports on traffic from different OSs etc.  But when you know
this traffic is spoofed it's hard to rely on what you see there.

--
##############################################################
# Antonomasia   ant notatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Spoofed SMTP _outbound_ Jay Epperson (Jan 16)
- <Possible follow-ups>
- RE: Spoofed SMTP _outbound_ Karl Vogel (Jan 17)
- Re: Spoofed SMTP _outbound_ Antonomasia (Jan 18)
- Re: Spoofed SMTP _outbound_ epperson (Jan 23)