Re: ICMP_TIME_EXCEEDED to network address?

[Curt Freeland <curt () GRUMPY CSE ND EDU>]

I reported this activity to SANS/GIAC on January 11th.  I have two
sites that are still seeing this activity...usually many as thousand
packets an hour from IP's all over the world.  Someone is spoofing
packets, and we are being DoS'ed as a result (but not as bad as the
primary target).

There are three variants of this attack in action...(or three unique
attacks which coincidentally have a lot of overlap):

1) Send packets with TTL tuned to expire as it hits the border router
   of the target (hence the Time Exceeded 11/0 messages).  The sites I
   monitor see up to several thousand of these an hour.

   I also see quite a few of the 11/1 messages which tells me that they
   are also sending frags to the target using our spoofed addresses.

   The top two offenders we see are: 202.178.243.254, 61.132.74.1
   The 202 address has been showing up every hour, daily for almost a
   month now.  They do not return email, and nobody has replied to
   phone messages that have been left for them.

2) Send initial packets to target with an ACK set.  Target host(s) reply
   with Reset packets.  The sites I monitor see up to several thousand of the
   reset packets an hour.

3) Repetitive DNS requests for various sites (aol.com, ucla.edu, net.net,
   dot.com, ...).
   These have stopped in the past two or three days, but when they were
   running the sites I monitor would get several thousand of these an
   hour as well.

When I started looking at source addresses for the three groups of
packets I found a lot of overlap.  In all, I have seen over 200 source
addresses that seem to change every day or two.  I've talked with admins
of several of the (on-shore) source sites and all are battling DoS attacks.

The admins apologized for the traffic on our nets, but could do little to
stop it.  Some put in ACL's to block the IP's from the sites I monitor...
but we still see a lot of these packets from others.

If you have packet traces, send them to intrusion () sans org and
reference my report of January 11.  Maybe the Sans folks (or others)
can get the core providers to trace/stop the traffic as they did with
the futuredomain attack in early January.

--curt

Curt Freeland (curt () cse nd edu) GCIA #0223
Director of Facilities, Computer Science and Engineering Department
323A Cushing Hall,  The University of Notre Dame
Voice: (219) 631-5893 / FAX: (219) 631-9260


------- In Incidents you write:   -----------------

Date:    Wed, 24 Jan 2001 10:45:27 +0100
From:    "Ralf G. R. Bergs" <rabe () RWTH-AACHEN DE>
Subject: ICMP_TIME_EXCEEDED to network address?

Hi there,

does anyone of you have an idea what this could mean? I see lots of packets
from a certain IP to my class C network address (aaa.bbb.ccc.0) with an ICMP
type of 11 (Time Exceeded). Could this be a DoS?

Thanks,

Ralf


--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^