> -----Original Message-----
> From: Scott I. Remick [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 10 December 1999 3:08 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Port 3593
>
>
> Hello. I observed what appeared to be a DoS attack yesterday
> involving UDP
> packets from spoofed source addresses triggering ICMP
> replies. The attack
> seems to have died down, but I'm still seeing the occasional
> UDP packet
> trickle in from a probably spoofed source IP.
It takes a few CPU cycles, and some bandwidth, to create and send an ICMP
unreachable message. If you're finding that this is making your link
gluggy, there are some things you can do. Firstly, you may be able to
configure the router not to send _any_ unreachables. This is often really
good. However, some people like to be polite and not silently drop packets.
The pros and cons are beyond the scope of a short email.
Secondly, you may (depending on your router) be able to use policy routing
(basically routing based on source instead of destination, although it can
be much more complex) and route packets _from_ the host that is attacking
you to a null interface - like chucking them into /dev/null. Both of these
solutions will stop the router taking the time out to send an ICMP
3/anything message.
> These are
> different though
> in that they are not causing any sort of response from the victimized
> system, and all are destined for port 3593.
Someone check me on this - what is the normal response for a _host_ to a UDP
packet that doesn't match any service? With TCP is would be a TCP RST. Am I
right in thinking that it's silently drop for UDP? If so then this behaviour
is normal.
[trojan speculation snipped]
>
> And finally... what's the best way to trace UDP packets with
> spoofed source
> addresses? Does it always require the assistance of the ISP?
Sure does. However unless the packets originated from a user on their
system, they're probably going to be in the same boat. I really wouldn't
worry about it - from what you're saying, the attack wasn't going to succeed
and no damage has been done. Save your time and energy for a real threat.
>
> Thanks for your help.
> -----------------------
> Scott I. Remick [EMAIL PROTECTED]
> Network and Information (802)388-7545 ext. 236
> Systems Manager FAX:(802)388-3697
> Computer Alternatives, Inc. http://www.computeralt.com
Cheers,
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
