Argus Flow reversal with ECRs ??

Carter Bullard cbullard at nortelnetworks.com
Tue Feb 15 09:05:24 EST 2000 

Hey Russell,
   Yes I think that there was/is a possiblity for ra()
to mess up on this one, but I'm pretty confident that
the 1.8 code addresses this problem.

   As a test, if you could capture packets for a few
moments during one of your dds runs, using either tcpdump()
or snoop(), I can test 1.8 for correctness.

Carter

> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton at auckland.ac.nz]
> Sent: Sunday, February 13, 2000 6:20 PM
> To: Bullard, Carter [NYPAR:DS33:EXCH]
> Subject: Argus Flow reversal with ECRs ??
> 
> 
> Hi Carter,
> 	 Another possible problem with direction of traffic as
> reported by ra/argus.  Below is a trace of traffic which I interperate
> to indicate that ECR packets were going from 130.0.x.x to 
> 130.216.4.28.
> 
> In fact the  reverse is true.  What  we have here is me (130.216.4.28)
> accidentially spraying ECRs around 130.0/16.  I was using  the ddos
> detection tool and trying to scan our network, but ended up scanning
> 130.0 instead ( I typed dds 130.216/16 instead of dds 
> 130.216.0.0/16). 
> 
> Sigh...
> 
> 
> 11 Feb 00 13:08:29     icmp     130.0.6.252        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp     130.0.6.253        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp     130.0.6.254        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp     130.0.6.255        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.0        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.1        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.2        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.3        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.4        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.5        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.6        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.7        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.8        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp       130.0.7.9        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp      130.0.7.10        ->    
> 130.216.4.28       2      0                          ECR
> 11 Feb 00 13:08:29     icmp      130.0.7.11        ->    
> 130.216.4.28       2      0                          ECR
> 
> I have been pondering how I could use argus to detect traffic 
> between master
> and client ddos systems and decided to dump out all then ECRs 
> for last week and
> noticed that the flows seem to be reversed here.
> 
> Sorry I am still not running the release version of 1.8.  
> What you see here is
> the last one you mailed out to me.
> 
> Cheers, Russell.
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20000215/9a148c74/attachment.html>

More information about the argus mailing list