1.8.1 and 2.0.0n differences
Peter Van Epp
vanepp at sfu.ca
Mon Oct 9 15:12:40 EDT 2000
> Hey Russell,
> I was under the impression that a broadcast address
> as the source is considered illegal by a router, so
> anything with a 255.255.255.255 source address should
> be local? Did they come from a local MAC address?
I don't think either our SSR or our Cisco look at source address/MAC
at all only destination unless there is an access list in place that tells it
to (although I could be wrong).
>
> Carter
>
> -----Original Message-----
> From: owner-argus at lists.andrew.cmu.edu
> [mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of Russell Fulton
> Sent: Monday, October 09, 2000 12:08 AM
> To: Argus (E-mail)
> Subject: 1.8.1 and 2.0.0n differences
>
>
> Hi Carter,
> Here is a short burst of traffic that got reported rather
> differently by ra in two different versions of argus.
>
> 1.8.1 sets FINWAIT and RST, 2.0.0 just sets EST. What flags were really in
> those packets I don't know :( I had thought that the FR records were
> generated
> by lone RST packets in 1.8.
>
> Aside: If anyone has any ideas about the significance of this traffic
> I would be interested. I'm guessing that it is some kind of fallout
> from an attack on 209.92.32.58 where packets with our address were
> used but where the 255.255.255.255 record fits in I don't know.
>
I'd guess this was a forged smurf attack (although its unclear how
the 255.255.255.255 packets got back to you unless there was a less than
carefull flow established in the hardware routing engines of the routers
in the way). With the source address being broadcast if you can get a machine
to reply to the packet it will nicely flood the net on the broadcast address.
More information about the argus
mailing list