Still problems with ra -A (and tcp smurf logs)
Russell Fulton
r.fulton at auckland.ac.nz
Mon Dec 4 19:47:28 EST 2000
I am still getting the occasional screwy count with -A. In this case
everything was fine except for the 255.255.255.255 records.
bash-2.04$ bin/ra -Zb -ncr data/2000.12.04/argus-2000.12.04.21.00.gz - host 216.93.65.65 | grep 255.255
04 Dec 00 20:55:49.851285 tcp 255.255.255.255.80 o> 216.93.65.65.38971 192 0 12288 0 RA_
04 Dec 00 20:55:48.705615 tcp 255.255.255.255.80 o> 216.93.65.65.46588 246 0 15744 0 RA_
04 Dec 00 20:55:47.292610 tcp 255.255.255.255.80 o> 216.93.65.65.46587 764 0 48896 0 RA_
04 Dec 00 20:55:48.511802 tcp 255.255.255.255.80 o> 216.93.65.65.38970 768 0 49152 0 RA_
bash-2.04$ bin/ra -AZb -ncr data/2000.12.04/argus-2000.12.04.21.00.gz - host 216.93.65.65 | grep 255.255
04 Dec 00 20:55:49.851285 tcp 255.255.255.255.80 o> 216.93.65.65.38971 192 0 0 -162525840 RA_
04 Dec 00 20:55:48.705615 tcp 255.255.255.255.80 o> 216.93.65.65.46588 246 0 0 -324525512 RA_
04 Dec 00 20:55:47.292610 tcp 255.255.255.255.80 o> 216.93.65.65.46587 764 0 0 -1983371664 RA_
04 Dec 00 20:55:48.511802 tcp 255.255.255.255.80 o> 216.93.65.65.38970 768 0 0 1492133488 RA_
In case any of you are wondering what provoked this weird traffic, it
resulted from a tcp scan (ACK to port 80) directed against
130.216.*.255. Some sort of tcp smurf?
Here is a sample of the triggering traffic:
04 Dec 00 20:56:01.574232 tcp 216.93.65.65.38971 o> 130.216.202.255.80 1 0 64 0 A_
04 Dec 00 20:56:01.577682 tcp 216.93.65.65.38971 o> 130.216.203.255.80 1 0 64 0 A_
04 Dec 00 20:56:01.578219 tcp 216.93.65.65.38971 o> 130.216.204.255.80 1 0 64 0 A_
04 Dec 00 20:56:01.579589 tcp 216.93.65.65.38971 o> 130.216.205.255.80 1 0 64 0 A_
04 Dec 00 20:56:01.581133 tcp 216.93.65.65.38971 o> 130.216.206.255.80 1 0 64 0 A_
04 Dec 00 20:56:01.583455 tcp 216.93.65.65.38971 o> 130.216.235.255.80 1 0 64 0 A_
I'm picking that 216.93.65.65 is the victim not the perpetrator.
Looks like its time to block *.255 for tcp (I thought we alread did but obviously not :( ) as well as udp and icmp.
Anyone know why responding packets have source of all 1s?
A few machines did respond with their own source addresses.
Cheers, Russell.
More information about the argus
mailing list