Attack on Iraq [7:65805]
All, I all wish you the best of luck, and I hope that you and your families will be safe. I have no doubt that we will have to deal with troublesome situations, of which I hope none of you get caught up in. Best Wishs and hope you are all OK through this. John ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65805&t=65805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64088]
You are looking to do a DNS look-up. Example: DNS lookup command issued. Waiting for reply... Office host name: w14.www.dcn.yahoo.com Internet address: 216.109.125.67 DNS lookup command completed. If the DNS look-up does not work, look in to finding someone with SolarWinds software. (Solarwinds.com) Hope that this helped. = = = Original message = = = Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven [EMAIL PROTECTED] ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com. __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64088&t=64088 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64085]
>Dear All, > >I believe some one always try hacking my private network, >I got the ip address and how am I check who they are? > >Please help...!! Thanks > >Rgds, >Steiven If they're being blocked at your firewall it may best to just leave them alone. I don't know if it's very helpful to try to track hackers down. Besides, you might not be seeing the true source IP address, but I suppose that depends on the particular attack they were attempting. If you're curious, you can go to www.arin.net/whois and enter the IP address. That will return information regarding the administrator and 'owner' of that netblock. If you really decide that it's necessary, you could contact the administrator listed on that page, assuming that information is even correct. I'd suggest that since you're aware of them it's not going to do much good to pursue them. On the other hand, that depends on the nature of their attacks and the nature of the information you're trying to secure. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64085&t=64085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64084]
Finally a question i can help with... goto http://www.uwhois.com regards, odus Original Message Follows From: "Steiven Poh-\(Jaring MailBox\)" Reply-To: "Steiven Poh-\(Jaring MailBox\)" To: [EMAIL PROTECTED] Subject: Urgent Help !! How to check who's always attack my firewall [7:64064] Date: Fri, 28 Feb 2003 11:35:41 GMT Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven _ Express yourself with cool emoticons http://messenger.msn.co.uk Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64084&t=64084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Urgent Help !! How to check who's always attack my firewall [7:64073]
Go to ARIN.net. If it's outside North America, it will refer you. Remember that IP address can be SPOOFED. HTH, Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steiven Poh-(Jaring MailBox) Sent: Friday, February 28, 2003 6:36 AM To: [EMAIL PROTECTED] Subject: Urgent Help !! How to check who's always attack my firewall [7:64064] Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64073&t=64073 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Urgent Help !! How to check who's always attack my firewall [7:64068]
Try NSLOOKUP and WHOIS query . It will tell you either a costumer info or a Service provider Block. If it tells you about Service provider then you should contact this provider and send them a log, let them know that one of there customer trying to hack into your network. They will definitely take action. use this link. http://www.all-nettools.com/tools1.htm ""Steiven Poh-(Jaring MailBox)"" wrote in message news:[EMAIL PROTECTED] > Dear All, > > I believe some one always try hacking my private network, > I got the ip address and how am I check who they are? > > Please help...!! Thanks > > Rgds, > Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64068&t=64068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Urgent Help !! How to check who's always attack my firewall [7:64063]
Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64063&t=64063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Urgent Help !! How to check who's always attack my firewall [7:64064]
Dear All, I believe some one always try hacking my private network, I got the ip address and how am I check who they are? Please help...!! Thanks Rgds, Steiven Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64064&t=64064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
""Geoff Zinderdine"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > to bring this back into the Cisco realm, Cisco NBAR ( network based > > application recognition ) I believe was intended to provide another > > dimension to the QoS classification process. now it can also be used as a > > filter against certain virus / macro virus attacks. > > NBAR thus far does a poor job of what products like Radware and Fortigate do > very well. Network-based virus screening implemented in ASIC is a very > exciting development, in my opinion. Fortinet can do it fast enough on some > of their boxes for the provider edge. NBAR is perhaps better than nothing, > but it is neither sophisticated enough nor granular enough to do much. I > really hope more providers start adopting these technologies. It will save > us all allot of grief. you know Geoff, you are absolutely right. this is true with many technologies. I work in sales, and I see product announcements and attend various vendor educational webcasts regularly. Then I think about questions on this newsgroup - how do I get my PIX to do this, how do I get my router to do that, and all I can think is that there are many vender alternatives that are far superior to trying to make a Cisco router or a Cisco PIX do any number of things that slow down the processing and then do the job less effectively anyway. Products like QoSWorks and NetVMG are first rate. Unfortunately, the small to medium city, county, school district, and medical organizations I cover usually cannot afford many of these products. Plus the telco I work for believes ( like any telco ) that we should be pushing more bandwidth. Programs like e-rate seem to have changed a lot of the dynamic as well. And the Cisco account teams are very good at getting into these places and convincing staff IT people ( who are not necessarily the best and the brightest in the markets I cover - not with what they are paid ) that the Cisco product line is the answer to every problem. Can't complain, though. I make a decent living selling Cisco too. :-> > > Geoff Zinderdine > CCIE #10410 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60294&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
> to bring this back into the Cisco realm, Cisco NBAR ( network based > application recognition ) I believe was intended to provide another > dimension to the QoS classification process. now it can also be used as a > filter against certain virus / macro virus attacks. NBAR thus far does a poor job of what products like Radware and Fortigate do very well. Network-based virus screening implemented in ASIC is a very exciting development, in my opinion. Fortinet can do it fast enough on some of their boxes for the provider edge. NBAR is perhaps better than nothing, but it is neither sophisticated enough nor granular enough to do much. I really hope more providers start adopting these technologies. It will save us all allot of grief. Geoff Zinderdine CCIE #10410 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60288&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
maybe we can get nfr to weigh in here, and this thread can perpetuate itself at least as long as the Cert versus Degree thread :-> ""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The Long and Winding Road wrote: > > > > ""Priscilla Oppenheimer"" wrote in > >> > > > > > Bill Gates and Steve Jobs are very smart people, but when > > they champion > > > software that thinks it's smarter than the user, most users > > just get > > > annoyed. ;-) > > > > > > I disagree with your implication here. > > You didn't understand my implication. > > > The whole point of the > > PC revolution > > was to make computing easy for the end user. I think apple and > > eventually > > mircrosoft have done wonderful things in that respect. > > I'm not talking about computers being easy to use; I'm talking about > artificial intelligence and expert systems. I'm talking about spam filters > that learn what you consider spam, for example. Both Mac OS and Microsoft > have a lot of this type of software built into their operating systems and > applications. In some cases it works well. For example, I think the > Microsoft Word spell checker is a beautiful piece of software unparalleled > by any other spell checker I've used. What makes it superior is that it > learns about the current user. But I think Internet Explorer deciding that > it should hijack your ability to play video or music is awful. It decides to > do things on its own, sometimes without user input. That's not a great > example, but if I gave it more thought I could come up with lots of cases > where Microsoft (and Apple) software does things behind your back, in some > cases because expert-system-type software is making decisions without your > input. > > Sorry that this is way O/T and even off-topic from what we were discussing > and not really related to the off-topic point you are trying to make about > unintended consequences. :-) > > Priscilla > > > > however, > > as with > > anything else, the law of unintended consequences comes into > > play. they made > > it easy for businesses to develope templates to make employees > > more > > effective in their work. the unintended consequence is they > > made it easy for > > malicious people to use those tools to create maco viruses. > > they made it > > easy for you and I to send dfocumnets or pictures to our > > friends and > > relatives, and for those people to pen the docs and see the > > content. the > > unintended consequence is that they made it easy for malicious > > people to > > spread their wickedness. > > > > to bring this back into the Cisco realm, Cisco NBAR ( network > > based > > application recognition ) I believe was intended to provide > > another > > dimension to the QoS classification process. now it can also be > > used as a > > filter against certain virus / macro virus attacks. > > > > > > > > > > Priscilla > > > > > > > > > Howard C. Berkowitz wrote: > > > > > > > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote: > > > > >Hopefully you trained her not to open attachemnts in the > > > > future unless she > > > > >knows the sender and is expecting an attachment from that > > > > sender. It's an > > > > >obvious point, but nobody had brought it up yet! :-) > > > > > > > > > >Priscilla > > > > > > > > May all such attackers get a personalized virus. There's a > > > > wide > > > > range of choices of gastrointestinal ones. Somehow, such > > > > people > > > > remind me of a baby's alimentary tract: a loud voice at one > > end > > > > and > > > > no sense of responsibility at the other. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60249&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
The Long and Winding Road wrote: > > ""Priscilla Oppenheimer"" wrote in >> > > > Bill Gates and Steve Jobs are very smart people, but when > they champion > > software that thinks it's smarter than the user, most users > just get > > annoyed. ;-) > > > I disagree with your implication here. You didn't understand my implication. > The whole point of the > PC revolution > was to make computing easy for the end user. I think apple and > eventually > mircrosoft have done wonderful things in that respect. I'm not talking about computers being easy to use; I'm talking about artificial intelligence and expert systems. I'm talking about spam filters that learn what you consider spam, for example. Both Mac OS and Microsoft have a lot of this type of software built into their operating systems and applications. In some cases it works well. For example, I think the Microsoft Word spell checker is a beautiful piece of software unparalleled by any other spell checker I've used. What makes it superior is that it learns about the current user. But I think Internet Explorer deciding that it should hijack your ability to play video or music is awful. It decides to do things on its own, sometimes without user input. That's not a great example, but if I gave it more thought I could come up with lots of cases where Microsoft (and Apple) software does things behind your back, in some cases because expert-system-type software is making decisions without your input. Sorry that this is way O/T and even off-topic from what we were discussing and not really related to the off-topic point you are trying to make about unintended consequences. :-) Priscilla > however, > as with > anything else, the law of unintended consequences comes into > play. they made > it easy for businesses to develope templates to make employees > more > effective in their work. the unintended consequence is they > made it easy for > malicious people to use those tools to create maco viruses. > they made it > easy for you and I to send dfocumnets or pictures to our > friends and > relatives, and for those people to pen the docs and see the > content. the > unintended consequence is that they made it easy for malicious > people to > spread their wickedness. > > to bring this back into the Cisco realm, Cisco NBAR ( network > based > application recognition ) I believe was intended to provide > another > dimension to the QoS classification process. now it can also be > used as a > filter against certain virus / macro virus attacks. > > > > > > Priscilla > > > > > > Howard C. Berkowitz wrote: > > > > > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote: > > > >Hopefully you trained her not to open attachemnts in the > > > future unless she > > > >knows the sender and is expecting an attachment from that > > > sender. It's an > > > >obvious point, but nobody had brought it up yet! :-) > > > > > > > >Priscilla > > > > > > May all such attackers get a personalized virus. There's a > > > wide > > > range of choices of gastrointestinal ones. Somehow, such > > > people > > > remind me of a baby's alimentary tract: a loud voice at one > end > > > and > > > no sense of responsibility at the other. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60243&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This discussion could tie into the "New Technologies" thread! Technologies > that do a better job of protecting users from viruses could be big. And an > even harder problem is protecing us from spam. None of the solutions to that > problem work very well yet. The do-gooders that black-list e-mail servers do > more harm than good. The mail applications that try to apply artificial > intelligence to the problem show some promise, but don't work very well yet. the fundamental problem is determining what is spam and what is not. today's approach is one of examining content, matching keywords against "spam" words. for example "mortgage" or "enlarge" or the many variants that would lead one to p..o..r..n sites. as an aside, when warned that Groupstudy was the source of so much spam, I set up a special e-mail address that is advertised only to Groupstudy. I have yet ( knock on wood ) to receive a single spam message on that account. On the other hand, my primary account is now getting tons of spam, and I am now convinced this is the direct result of my using that e-mail address as the contact point for my web domain. forget hotmail. the folks there have demonstrated no interest at all in solving the spam problem. yahoo mail does a far better job of spam filtering. I have also notied that every ISP I have ever contacted about spam claims that the headers are forged, and that the spam did not originate from their servers. I still say the "solution" is to charge 10 cents for every e-mail sent out over a certain threshold - say 2000 per month. ISP people I have talked to about this say this would be impossible to track and enforce. so in the end, it is left to the recipient to do all the work. > Bill Gates and Steve Jobs are very smart people, but when they champion > software that thinks it's smarter than the user, most users just get > annoyed. ;-) I disagree with your implication here. The whole point of the PC revolution was to make computing easy for the end user. I think apple and eventually mircrosoft have done wonderful things in that respect. however, as with anything else, the law of unintended consequences comes into play. they made it easy for businesses to develope templates to make employees more effective in their work. the unintended consequence is they made it easy for malicious people to use those tools to create maco viruses. they made it easy for you and I to send dfocumnets or pictures to our friends and relatives, and for those people to pen the docs and see the content. the unintended consequence is that they made it easy for malicious people to spread their wickedness. to bring this back into the Cisco realm, Cisco NBAR ( network based application recognition ) I believe was intended to provide another dimension to the QoS classification process. now it can also be used as a filter against certain virus / macro virus attacks. > > Priscilla > > > Howard C. Berkowitz wrote: > > > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote: > > >Hopefully you trained her not to open attachemnts in the > > future unless she > > >knows the sender and is expecting an attachment from that > > sender. It's an > > >obvious point, but nobody had brought it up yet! :-) > > > > > >Priscilla > > > > May all such attackers get a personalized virus. There's a > > wide > > range of choices of gastrointestinal ones. Somehow, such > > people > > remind me of a baby's alimentary tract: a loud voice at one end > > and > > no sense of responsibility at the other. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60233&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is a Virus or Hacker attack?? [7:60114]
This discussion could tie into the "New Technologies" thread! Technologies that do a better job of protecting users from viruses could be big. And an even harder problem is protecing us from spam. None of the solutions to that problem work very well yet. The do-gooders that black-list e-mail servers do more harm than good. The mail applications that try to apply artificial intelligence to the problem show some promise, but don't work very well yet. Bill Gates and Steve Jobs are very smart people, but when they champion software that thinks it's smarter than the user, most users just get annoyed. ;-) Priscilla Howard C. Berkowitz wrote: > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote: > >Hopefully you trained her not to open attachemnts in the > future unless she > >knows the sender and is expecting an attachment from that > sender. It's an > >obvious point, but nobody had brought it up yet! :-) > > > >Priscilla > > May all such attackers get a personalized virus. There's a > wide > range of choices of gastrointestinal ones. Somehow, such > people > remind me of a baby's alimentary tract: a loud voice at one end > and > no sense of responsibility at the other. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60229&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is a Virus or Hacker attack?? [7:60114]
At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote: >Hopefully you trained her not to open attachemnts in the future unless she >knows the sender and is expecting an attachment from that sender. It's an >obvious point, but nobody had brought it up yet! :-) > >Priscilla May all such attackers get a personalized virus. There's a wide range of choices of gastrointestinal ones. Somehow, such people remind me of a baby's alimentary tract: a loud voice at one end and no sense of responsibility at the other. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60227&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is a Virus or Hacker attack?? [7:60114]
Hopefully you trained her not to open attachemnts in the future unless she knows the sender and is expecting an attachment from that sender. It's an obvious point, but nobody had brought it up yet! :-) Priscilla Richard Campbell wrote: > > Below is original E-mail, and attachment file is Love.scr > > >From: Lovers Screensavers > >To: [EMAIL PROTECTED] > >Subject: Free Screenavers of Love > >Date: Wed,01 Jan 2003 00:53:38 PM > >Attachment: Love.scr > Hello, > The attached product is send as a part of our official campaign > for the popularity of our product. > You have been chosen to try a free fully functional sample of > our > product.If you are satified then you can send it to your > friends. > All you have to do is to install the software and register an > account > with us using the links provided in the software. Then send > this software > to your friends using your account ID and for each person who > registers > with us through your account, we will pay you $1.5.Once your > account reaches > the limit of $50, your payment will be send to your > registration address by > check or draft. > > Please note that the registration process is completely free > which means > by participating in this program you will only gain without > loosing > anything. > > Best Regards, > Admin, > &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& > > Besides, the "Hacker" also send her a mail from this e-mail > address > > >From: [EMAIL PROTECTED] > >To: [EMAIL PROTECTED] > >Subject: Visit us > >Date: Tue,31 Dec 2002 23:25:58 PM > # > Below is what happen when she installed the screen saver.. Any > suggestion > for me?? > > yes...when i download that file fr hotmail...it has been > scanned . but no > virus is detected. then i download and put in my System folder > in my Window > folder. as screen saver will only can run after save into the > System folder. > so after i save it in the folder and install itit has shown > in my screen > saver - Desktop display..but nothing show..means no screen > saver. But i have > found a file (notepad) named "yEaHa" something like this..that > the contents > stated that the main purpose is to spread the yEaHa and they > didnt state > that he/she is hacker. just that at the bottom stated a email > add which is > something like [EMAIL PROTECTED] > > then i have found that all my files in "My Documents" have > bcame > transparent. and other files in C drive also bcame transparent. > and it has > ticked "Hidden" in the file property. but i hav unclick it but > it still in > transparent . In my System folder has a lot of Love icons with > diff names > like "girls" , "Love xxx" etc. all in Love icons, after i hav > installed the > file (Love > icon) screen svaer file which is named "Friends Happy". > > > > >From: "Kazan, Naim" > >To: "'Richard Campbell'" > >Subject: RE: Is a Virus or Hacker attack?? [7:60114] > >Date: Thu, 2 Jan 2003 21:43:31 -0500 > > > >A friend of mine ran into the same problem downloading some > screen saver he > >thought his friend sent him. He ended up having the same > problem. I think > >it > >is a hacker installing some kind of worm using your email to > send it out on > >the internet. > > > >-Original Message- > >From: Richard Campbell [mailto:[EMAIL PROTECTED]] > >Sent: Thursday, January 02, 2003 9:04 PM > >To: [EMAIL PROTECTED] > >Subject: Re: Is a Virus or Hacker attack?? [7:60114] > > > > > >thanks for your info.. the strange thing is.. I found she > actually get the > >attachment from her hotmail not yahoo mail. I thought hotmail > scan all the > >attachment with latest McAfee AntiVirus??? Besides, she > actually > >downloaded > > > >the Norton AntiVirus defination file last month, but now its > norton fail to > >start > > > > > > >From: "John Neiberger" > > >Reply-To: "John Neiberger" > > >To: [EMAIL PROTECTED] > > >Subject: Re: Is a Virus or Hacker attack?? [7:60114] > > >Date: Thu, 2
RE: Is a Virus or Hacker attack?? [7:60114]
A quick search on www.symantec.com shows that this is a variant of the W32.Yaha.K@mm worm. Go to http:[EMAIL PROTECTED] to get more details, including removal instructions. Good luck, John >>> "Richard Campbell" 1/2/03 11:10:26 PM >>> Below is original E-mail, and attachment file is Love.scr >From: Lovers Screensavers >To: [EMAIL PROTECTED] >Subject: Free Screenavers of Love >Date: Wed,01 Jan 2003 00:53:38 PM >Attachment: Love.scr Hello, The attached product is send as a part of our official campaign for the popularity of our product. You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft. Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything. Best Regards, Admin, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Besides, the "Hacker" also send her a mail from this e-mail address >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Visit us >Date: Tue,31 Dec 2002 23:25:58 PM # Below is what happen when she installed the screen saver.. Any suggestion for me?? yes...when i download that file fr hotmail...it has been scanned . but no virus is detected. then i download and put in my System folder in my Window folder. as screen saver will only can run after save into the System folder. so after i save it in the folder and install itit has shown in my screen saver - Desktop display..but nothing show..means no screen saver. But i have found a file (notepad) named "yEaHa" something like this..that the contents stated that the main purpose is to spread the yEaHa and they didnt state that he/she is hacker. just that at the bottom stated a email add which is something like [EMAIL PROTECTED] then i have found that all my files in "My Documents" have bcame transparent. and other files in C drive also bcame transparent. and it has ticked "Hidden" in the file property. but i hav unclick it but it still in transparent . In my System folder has a lot of Love icons with diff names like "girls" , "Love xxx" etc. all in Love icons, after i hav installed the file (Love icon) screen svaer file which is named "Friends Happy". >From: "Kazan, Naim" >To: "'Richard Campbell'" >Subject: RE: Is a Virus or Hacker attack?? [7:60114] >Date: Thu, 2 Jan 2003 21:43:31 -0500 > >A friend of mine ran into the same problem downloading some screen saver he >thought his friend sent him. He ended up having the same problem. I think >it >is a hacker installing some kind of worm using your email to send it out on >the internet. > >-Original Message- >From: Richard Campbell [mailto:[EMAIL PROTECTED]] >Sent: Thursday, January 02, 2003 9:04 PM >To: [EMAIL PROTECTED] >Subject: Re: Is a Virus or Hacker attack?? [7:60114] > > >thanks for your info.. the strange thing is.. I found she actually get the >attachment from her hotmail not yahoo mail. I thought hotmail scan all the >attachment with latest McAfee AntiVirus??? Besides, she actually >downloaded > >the Norton AntiVirus defination file last month, but now its norton fail to >start > > > >From: "John Neiberger" > >Reply-To: "John Neiberger" > >To: [EMAIL PROTECTED] > >Subject: Re: Is a Virus or Hacker attack?? [7:60114] > >Date: Thu, 2 Jan 2003 17:51:00 GMT > > > >The solution, which both of you really should know, is to have > >up-to-date antivirus software running on any machine that connects to > >the internet in any way. :-) > > > >In the meantime, she could browse to www.symantec.com and run the > >web-based antivirus detection that they have available. Once you > >determine which virus she is infected with you can get more details > >about how to remove it correctly. Regardless, she should run--not > >walk--to the neare
Re: Is a Virus or Hacker attack?? [7:60114]
Sorry and thanks Xueyan.. after I read her original virus mail carefully, I found that the virus that my friend have, is exactly the same as described as your following link.. Thank you Group! >From: "Xueyan Liu" >Reply-To: "Xueyan Liu" >To: [EMAIL PROTECTED] >Subject: Re: Is a Virus or Hacker attack?? [7:60114] >Date: Thu, 2 Jan 2003 18:42:07 GMT > >could be the yaha viarant that's spreading these days. as John has >mentioned, check out symantec website for removal tools. > >http:[EMAIL PROTECTED] > >Xueyan _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60194&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is a Virus or Hacker attack?? [7:60114]
Below is original E-mail, and attachment file is Love.scr >From: Lovers Screensavers >To: [EMAIL PROTECTED] >Subject: Free Screenavers of Love >Date: Wed,01 Jan 2003 00:53:38 PM >Attachment: Love.scr Hello, The attached product is send as a part of our official campaign for the popularity of our product. You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft. Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything. Best Regards, Admin, &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Besides, the "Hacker" also send her a mail from this e-mail address >From: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Visit us >Date: Tue,31 Dec 2002 23:25:58 PM # Below is what happen when she installed the screen saver.. Any suggestion for me?? yes...when i download that file fr hotmail...it has been scanned . but no virus is detected. then i download and put in my System folder in my Window folder. as screen saver will only can run after save into the System folder. so after i save it in the folder and install itit has shown in my screen saver - Desktop display..but nothing show..means no screen saver. But i have found a file (notepad) named "yEaHa" something like this..that the contents stated that the main purpose is to spread the yEaHa and they didnt state that he/she is hacker. just that at the bottom stated a email add which is something like [EMAIL PROTECTED] then i have found that all my files in "My Documents" have bcame transparent. and other files in C drive also bcame transparent. and it has ticked "Hidden" in the file property. but i hav unclick it but it still in transparent . In my System folder has a lot of Love icons with diff names like "girls" , "Love xxx" etc. all in Love icons, after i hav installed the file (Love icon) screen svaer file which is named "Friends Happy". >From: "Kazan, Naim" >To: "'Richard Campbell'" >Subject: RE: Is a Virus or Hacker attack?? [7:60114] >Date: Thu, 2 Jan 2003 21:43:31 -0500 > >A friend of mine ran into the same problem downloading some screen saver he >thought his friend sent him. He ended up having the same problem. I think >it >is a hacker installing some kind of worm using your email to send it out on >the internet. > >-Original Message- >From: Richard Campbell [mailto:[EMAIL PROTECTED]] >Sent: Thursday, January 02, 2003 9:04 PM >To: [EMAIL PROTECTED] >Subject: Re: Is a Virus or Hacker attack?? [7:60114] > > >thanks for your info.. the strange thing is.. I found she actually get the >attachment from her hotmail not yahoo mail. I thought hotmail scan all the >attachment with latest McAfee AntiVirus??? Besides, she actually >downloaded > >the Norton AntiVirus defination file last month, but now its norton fail to >start > > > >From: "John Neiberger" > >Reply-To: "John Neiberger" > >To: [EMAIL PROTECTED] > >Subject: Re: Is a Virus or Hacker attack?? [7:60114] > >Date: Thu, 2 Jan 2003 17:51:00 GMT > > > >The solution, which both of you really should know, is to have > >up-to-date antivirus software running on any machine that connects to > >the internet in any way. :-) > > > >In the meantime, she could browse to www.symantec.com and run the > >web-based antivirus detection that they have available. Once you > >determine which virus she is infected with you can get more details > >about how to remove it correctly. Regardless, she should run--not > >walk--to the nearest computer store and buy Norton AntiVirus of some > >other AV software, and make sure she keeps her virus definitions > >up-to-date. > > > >Regards, > >John > > > > >>> "Richard Campbell" 1/2/03 10:34:01 AM
Re: Is a Virus or Hacker attack?? [7:60114]
thanks for your info.. the strange thing is.. I found she actually get the attachment from her hotmail not yahoo mail. I thought hotmail scan all the attachment with latest McAfee AntiVirus??? Besides, she actually downloaded the Norton AntiVirus defination file last month, but now its norton fail to start >From: "John Neiberger" >Reply-To: "John Neiberger" >To: [EMAIL PROTECTED] >Subject: Re: Is a Virus or Hacker attack?? [7:60114] >Date: Thu, 2 Jan 2003 17:51:00 GMT > >The solution, which both of you really should know, is to have >up-to-date antivirus software running on any machine that connects to >the internet in any way. :-) > >In the meantime, she could browse to www.symantec.com and run the >web-based antivirus detection that they have available. Once you >determine which virus she is infected with you can get more details >about how to remove it correctly. Regardless, she should run--not >walk--to the nearest computer store and buy Norton AntiVirus of some >other AV software, and make sure she keeps her virus definitions >up-to-date. > >Regards, >John > > >>> "Richard Campbell" 1/2/03 10:34:01 AM >>> >Hi... Group, > >I have a friend who received a mail containing screen saver attachment >in >her yahoo mail account when she is surf net at home. She downloaded >the >screen saver and install it. After installing , she found that her >files in >the my document become transparent in color and there are many extra >files >in many places. Besides, she also found a notepad file in the desktop, > >stating that she had been hacked, yeah.. (something like that) and it >can't >be deleted (It will come back after rebooting). And its sound also >gone. >Anyone encountered this so called Hacker "Virus" before?? Any solution >for >me?? > >Thanks in advanced > > > > > > >_ >The new MSN 8 is here: Try it free* for 2 months >http://join.msn.com/?page=dept/dialup _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60161&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
hey wasnt there a virus like 3 years ago with fireworks that did that?? Bri On Thu, 2 Jan 2003, Richard Campbell wrote: > Hi... Group, > > I have a friend who received a mail containing screen saver attachment in > her yahoo mail account when she is surf net at home. She downloaded the > screen saver and install it. After installing , she found that her files in > the my document become transparent in color and there are many extra files > in many places. Besides, she also found a notepad file in the desktop, > stating that she had been hacked, yeah.. (something like that) and it can't > be deleted (It will come back after rebooting). And its sound also gone. > Anyone encountered this so called Hacker "Virus" before?? Any solution for > me?? > > Thanks in advanced > > > > > > > _ > The new MSN 8 is here: Try it free* for 2 months > http://join.msn.com/?page=dept/dialup Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60141&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
could be the yaha viarant that's spreading these days. as John has mentioned, check out symantec website for removal tools. http:[EMAIL PROTECTED] Xueyan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60117&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is a Virus or Hacker attack?? [7:60114]
The solution, which both of you really should know, is to have up-to-date antivirus software running on any machine that connects to the internet in any way. :-) In the meantime, she could browse to www.symantec.com and run the web-based antivirus detection that they have available. Once you determine which virus she is infected with you can get more details about how to remove it correctly. Regardless, she should run--not walk--to the nearest computer store and buy Norton AntiVirus of some other AV software, and make sure she keeps her virus definitions up-to-date. Regards, John >>> "Richard Campbell" 1/2/03 10:34:01 AM >>> Hi... Group, I have a friend who received a mail containing screen saver attachment in her yahoo mail account when she is surf net at home. She downloaded the screen saver and install it. After installing , she found that her files in the my document become transparent in color and there are many extra files in many places. Besides, she also found a notepad file in the desktop, stating that she had been hacked, yeah.. (something like that) and it can't be deleted (It will come back after rebooting). And its sound also gone. Anyone encountered this so called Hacker "Virus" before?? Any solution for me?? Thanks in advanced _ The new MSN 8 is here: Try it free* for 2 months http://join.msn.com/?page=dept/dialup Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60115&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Is a Virus or Hacker attack?? [7:60114]
Hi... Group, I have a friend who received a mail containing screen saver attachment in her yahoo mail account when she is surf net at home. She downloaded the screen saver and install it. After installing , she found that her files in the my document become transparent in color and there are many extra files in many places. Besides, she also found a notepad file in the desktop, stating that she had been hacked, yeah.. (something like that) and it can't be deleted (It will come back after rebooting). And its sound also gone. Anyone encountered this so called Hacker "Virus" before?? Any solution for me?? Thanks in advanced _ The new MSN 8 is here: Try it free* for 2 months http://join.msn.com/?page=dept/dialup Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60114&t=60114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Possible Attack???? [7:59813]
Unfortunetly I cant share anything else not because I dont want to but because these machines are owned by another customers. I am planning on following up with my customer to see if he can get some info from his customer in regards to what happend. Once I know I will post it. Thanks again. Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 7:24 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] Sounds like you used a good method to track down the compromised machines (Sun Spark Stations.) Can you tell us anything more about what had happened to them? Had someone installed a Trojan Horse or something?? Are there any URLs that describe the attack. I tried to find some last night but didn't, but maybe with more info you have found some. I think it would help us all to know more if you can share more. Thanks for what you've told us so far! Priscilla ([EMAIL PROTECTED] wrote: > > I was finally able to track down the infected PC's (yes, more > than one). > Below is a brief description of what occurred and the fix. > First, thanks to > all that responded to me. > > As previously mentioned, I had an attack on a customer of mines > network that > was showing up as follows: > > SrcIfSrcIPaddressDstIfDstIPaddressPr SrcP > DstP Pkts > Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00 > 285 > > > The above capture is just 1 of a few hundred packets similar to > it and all > coming from a different source address on the 127.0.0.0 > network. The amount > of traffic was so large that at times it peaked to over 20MB > and as a result > it overran my WAN interfaces causing BGP to flap / reconverge. > Just when > BGP got a chance to come back up and learned all 115000 routes, > the attack > occured again and the links would flap. > > Pingging the 127.0.0.x IP address from the edge router where > the attack was > initially spotted did not give me any replies. All I got were > U. I was > also not able to ping the broadcast address as all it gave me > was U > (unreachables) as well. There was no ARP entries on that > router for that > IP. I ended up enabling Netflow on the edge router (what you > see above) in > order to get more detail of what was going on. I got to see > what interface > it was coming in on so I applied an access-list on the router > to filter out > these packets. That allow the router and bgp to stabilize. The > next thing > was to move on to the switch that was connected to this FA0/1 > interface. > This switch has a router module, I ended up doing the same > thing as I did > on the edge router except this time I also connected to the sc0 > interface > and I enabled one port as the mirroring port on the switch and > placed a PC > with Etherreal to monitor everything that was destined to > 108.122.0.0 and I > finally got a MAC address. I issued the show CAM command on > the switch and > it told me where it came from which was another switch. I > moved on to that > other switch. The MAC address that was being reported was the > MSM route > module of that switch. I enabled netflow on it as well and I > was able to > see the vlan that the attack was coming on and the VLAN where > it was > destined to. Luckily there were only 2 PCs (Sun Spark > Stations) on that > vlan and both were compromised. I removed them from the > network and all is > well. I did also have MRTG which help some with identifying > when the attack > was going on and what direction it was coming on and with the > ports that > were being most heavily utilized. This network is pretty big > so it was > difficult to monitor all the ports that were suspects. Thank > you all again > for your help. > > As far as the runt packets are concerned, to tell you the > truth, I noticed > that but did not pay to much attention to that part of the > Netflow output > since I was all wrapped up on tracking down where these packets > were coming > in from. Right now packets with size of 1-32 account for > about 50% of all > traffic. > > > > > Thanks, > > Mario Puras > SoluNet Technical Support > Mailto: [EMAIL PROTECTED] > Direct: (321) 309-1410 > 888.449.5766 (USA) / 888.SOLUNET (Canada) > > > > -Original Message- > From: jhodge [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 27, 2002 4:34 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible Attack [7:59813] > > > Not sur
RE: OT - Possible Attack???? [7:59813]
Unix boxes are compromised all the time. You can read up on Bugtraq to hear about the exploits. Typically the security of any host is not a function of the operating system, but how skilled and up to date the administrator is on security issues. The only reason you hear more Windows boxes being compromised is because more end users run them, and more of the inexperienced administrators also prefer Windows because it is GUI based. Unfortunately, the same crowd of inexperience administrators sometimes feel they are "more advanced" and try a unix based operating system. Only sadly to succumb to the same fate, to create a unsecure host due to their lack of knowledge of the inner workings of the operating system and services it provides. The real cure is not a new operating system. It is doing some research and learning, or just get a new administrator. :) > Nice to hear a story of a *nix box being compromised... we all know how > hush-hush that piece of news is kept ... of course we all know that only > Windows boxes get compromised all the time, cuz they're so insecure > (Tongue-in-cheek). > > ... sorry, couldn't resist. This is just a mini High-Five for all those > Winblows comments that flow so fluidly on the list... > > More on topic- > It's cool to hear someone describing in detail the troubleshooting steps > taken to track down a "bad" host or two on a complex network... You > don't hear about these stories very often. > > Consider this an Attaboy Pat on the Back for a job well done in hunting > down the source to your problem with fairly efficient and well educated > network troubleshooting skills. > > Have a great weekend! > > -Mark > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 27, 2002 5:59 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible Attack [7:59813] > > I was finally able to track down the infected PC's (yes, more than one). > Below is a brief description of what occurred and the fix. First, > thanks to > all that responded to me. > > As previously mentioned, I had an attack on a customer of mines network > that > was showing up as follows: > > SrcIfSrcIPaddressDstIfDstIPaddressPr SrcP DstP > Pkts > Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00 285 > > > The above capture is just 1 of a few hundred packets similar to it and > all > coming from a different source address on the 127.0.0.0 network. The > amount > of traffic was so large that at times it peaked to over 20MB and as a > result > it overran my WAN interfaces causing BGP to flap / reconverge. Just > when > BGP got a chance to come back up and learned all 115000 routes, the > attack > occured again and the links would flap. > > Pingging the 127.0.0.x IP address from the edge router where the attack > was > initially spotted did not give me any replies. All I got were U. I > was > also not able to ping the broadcast address as all it gave me was U > (unreachables) as well. There was no ARP entries on that router for > that > IP. I ended up enabling Netflow on the edge router (what you see above) > in > order to get more detail of what was going on. I got to see what > interface > it was coming in on so I applied an access-list on the router to filter > out > these packets. That allow the router and bgp to stabilize. The next > thing > was to move on to the switch that was connected to this FA0/1 interface. > This switch has a router module, I ended up doing the same thing as I > did > on the edge router except this time I also connected to the sc0 > interface > and I enabled one port as the mirroring port on the switch and placed a > PC > with Etherreal to monitor everything that was destined to 108.122.0.0 > and I > finally got a MAC address. I issued the show CAM command on the switch > and > it told me where it came from which was another switch. I moved on to > that > other switch. The MAC address that was being reported was the MSM route > module of that switch. I enabled netflow on it as well and I was able > to > see the vlan that the attack was coming on and the VLAN where it was > destined to. Luckily there were only 2 PCs (Sun Spark Stations) on that > vlan and both were compromised. I removed them from the network and all > is > well. I did also have MRTG which help some with identifying when the > attack > was going on and what direction it was coming on and with the ports that > were being most heavily utilized. This network is pretty big so it was > difficult to monitor all the ports that were
RE: Possible Attack???? [7:59813]
Nice to hear a story of a *nix box being compromised... we all know how hush-hush that piece of news is kept ... of course we all know that only Windows boxes get compromised all the time, cuz they're so insecure (Tongue-in-cheek). ... sorry, couldn't resist. This is just a mini High-Five for all those Winblows comments that flow so fluidly on the list... More on topic- It's cool to hear someone describing in detail the troubleshooting steps taken to track down a "bad" host or two on a complex network... You don't hear about these stories very often. Consider this an Attaboy Pat on the Back for a job well done in hunting down the source to your problem with fairly efficient and well educated network troubleshooting skills. Have a great weekend! -Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 5:59 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] I was finally able to track down the infected PC's (yes, more than one). Below is a brief description of what occurred and the fix. First, thanks to all that responded to me. As previously mentioned, I had an attack on a customer of mines network that was showing up as follows: SrcIfSrcIPaddressDstIfDstIPaddressPr SrcP DstP Pkts Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00 285 The above capture is just 1 of a few hundred packets similar to it and all coming from a different source address on the 127.0.0.0 network. The amount of traffic was so large that at times it peaked to over 20MB and as a result it overran my WAN interfaces causing BGP to flap / reconverge. Just when BGP got a chance to come back up and learned all 115000 routes, the attack occured again and the links would flap. Pingging the 127.0.0.x IP address from the edge router where the attack was initially spotted did not give me any replies. All I got were U. I was also not able to ping the broadcast address as all it gave me was U (unreachables) as well. There was no ARP entries on that router for that IP. I ended up enabling Netflow on the edge router (what you see above) in order to get more detail of what was going on. I got to see what interface it was coming in on so I applied an access-list on the router to filter out these packets. That allow the router and bgp to stabilize. The next thing was to move on to the switch that was connected to this FA0/1 interface. This switch has a router module, I ended up doing the same thing as I did on the edge router except this time I also connected to the sc0 interface and I enabled one port as the mirroring port on the switch and placed a PC with Etherreal to monitor everything that was destined to 108.122.0.0 and I finally got a MAC address. I issued the show CAM command on the switch and it told me where it came from which was another switch. I moved on to that other switch. The MAC address that was being reported was the MSM route module of that switch. I enabled netflow on it as well and I was able to see the vlan that the attack was coming on and the VLAN where it was destined to. Luckily there were only 2 PCs (Sun Spark Stations) on that vlan and both were compromised. I removed them from the network and all is well. I did also have MRTG which help some with identifying when the attack was going on and what direction it was coming on and with the ports that were being most heavily utilized. This network is pretty big so it was difficult to monitor all the ports that were suspects. Thank you all again for your help. As far as the runt packets are concerned, to tell you the truth, I noticed that but did not pay to much attention to that part of the Netflow output since I was all wrapped up on tracking down where these packets were coming in from. Right now packets with size of 1-32 account for about 50% of all traffic. Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: jhodge [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 4:34 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] Not sure if this will help, but you could enable ip accounting on the uplink interface to the switch. Watch for the address that is pouring out the most requests. Then use sho ip arp x.x.x.x to find the mac address. From there you could go to the switch and do a show cam dynamic or if IOS version, show mac-address-table with the mac address found with the most requests. This would hunt down the culprit machine without a person walking to each individual machine. Cheers, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sam Sneed Sent: December 27, 2002 1:04 PM To: [EMAIL PROTECTED] Subject: Re: Possible Attack [7:59813] Do you run SNMP and mrtg on thes
RE: Possible Attack???? [7:59813]
Sounds like you used a good method to track down the compromised machines (Sun Spark Stations.) Can you tell us anything more about what had happened to them? Had someone installed a Trojan Horse or something?? Are there any URLs that describe the attack. I tried to find some last night but didn't, but maybe with more info you have found some. I think it would help us all to know more if you can share more. Thanks for what you've told us so far! Priscilla ([EMAIL PROTECTED] wrote: > > I was finally able to track down the infected PC's (yes, more > than one). > Below is a brief description of what occurred and the fix. > First, thanks to > all that responded to me. > > As previously mentioned, I had an attack on a customer of mines > network that > was showing up as follows: > > SrcIfSrcIPaddressDstIfDstIPaddressPr SrcP > DstP Pkts > Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00 > 285 > > > The above capture is just 1 of a few hundred packets similar to > it and all > coming from a different source address on the 127.0.0.0 > network. The amount > of traffic was so large that at times it peaked to over 20MB > and as a result > it overran my WAN interfaces causing BGP to flap / reconverge. > Just when > BGP got a chance to come back up and learned all 115000 routes, > the attack > occured again and the links would flap. > > Pingging the 127.0.0.x IP address from the edge router where > the attack was > initially spotted did not give me any replies. All I got were > U. I was > also not able to ping the broadcast address as all it gave me > was U > (unreachables) as well. There was no ARP entries on that > router for that > IP. I ended up enabling Netflow on the edge router (what you > see above) in > order to get more detail of what was going on. I got to see > what interface > it was coming in on so I applied an access-list on the router > to filter out > these packets. That allow the router and bgp to stabilize. The > next thing > was to move on to the switch that was connected to this FA0/1 > interface. > This switch has a router module, I ended up doing the same > thing as I did > on the edge router except this time I also connected to the sc0 > interface > and I enabled one port as the mirroring port on the switch and > placed a PC > with Etherreal to monitor everything that was destined to > 108.122.0.0 and I > finally got a MAC address. I issued the show CAM command on > the switch and > it told me where it came from which was another switch. I > moved on to that > other switch. The MAC address that was being reported was the > MSM route > module of that switch. I enabled netflow on it as well and I > was able to > see the vlan that the attack was coming on and the VLAN where > it was > destined to. Luckily there were only 2 PCs (Sun Spark > Stations) on that > vlan and both were compromised. I removed them from the > network and all is > well. I did also have MRTG which help some with identifying > when the attack > was going on and what direction it was coming on and with the > ports that > were being most heavily utilized. This network is pretty big > so it was > difficult to monitor all the ports that were suspects. Thank > you all again > for your help. > > As far as the runt packets are concerned, to tell you the > truth, I noticed > that but did not pay to much attention to that part of the > Netflow output > since I was all wrapped up on tracking down where these packets > were coming > in from. Right now packets with size of 1-32 account for > about 50% of all > traffic. > > > > > Thanks, > > Mario Puras > SoluNet Technical Support > Mailto: [EMAIL PROTECTED] > Direct: (321) 309-1410 > 888.449.5766 (USA) / 888.SOLUNET (Canada) > > > > -Original Message- > From: jhodge [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 27, 2002 4:34 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible Attack [7:59813] > > > Not sure if this will help, but you could enable ip accounting > on the > uplink interface to the switch. Watch for the address that is > pouring > out the most requests. Then use sho ip arp x.x.x.x to find the > mac > address. From there you could go to the switch and do a show > cam > dynamic or if IOS version, show mac-address-table with the mac > address > found with the most requests. This would hunt down the culprit > machine > without a person walking to each individual machine. > > Cheers, > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PR
RE: Possible Attack???? [7:59813]
I was finally able to track down the infected PC's (yes, more than one). Below is a brief description of what occurred and the fix. First, thanks to all that responded to me. As previously mentioned, I had an attack on a customer of mines network that was showing up as follows: SrcIfSrcIPaddressDstIfDstIPaddressPr SrcP DstP Pkts Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00 285 The above capture is just 1 of a few hundred packets similar to it and all coming from a different source address on the 127.0.0.0 network. The amount of traffic was so large that at times it peaked to over 20MB and as a result it overran my WAN interfaces causing BGP to flap / reconverge. Just when BGP got a chance to come back up and learned all 115000 routes, the attack occured again and the links would flap. Pingging the 127.0.0.x IP address from the edge router where the attack was initially spotted did not give me any replies. All I got were U. I was also not able to ping the broadcast address as all it gave me was U (unreachables) as well. There was no ARP entries on that router for that IP. I ended up enabling Netflow on the edge router (what you see above) in order to get more detail of what was going on. I got to see what interface it was coming in on so I applied an access-list on the router to filter out these packets. That allow the router and bgp to stabilize. The next thing was to move on to the switch that was connected to this FA0/1 interface. This switch has a router module, I ended up doing the same thing as I did on the edge router except this time I also connected to the sc0 interface and I enabled one port as the mirroring port on the switch and placed a PC with Etherreal to monitor everything that was destined to 108.122.0.0 and I finally got a MAC address. I issued the show CAM command on the switch and it told me where it came from which was another switch. I moved on to that other switch. The MAC address that was being reported was the MSM route module of that switch. I enabled netflow on it as well and I was able to see the vlan that the attack was coming on and the VLAN where it was destined to. Luckily there were only 2 PCs (Sun Spark Stations) on that vlan and both were compromised. I removed them from the network and all is well. I did also have MRTG which help some with identifying when the attack was going on and what direction it was coming on and with the ports that were being most heavily utilized. This network is pretty big so it was difficult to monitor all the ports that were suspects. Thank you all again for your help. As far as the runt packets are concerned, to tell you the truth, I noticed that but did not pay to much attention to that part of the Netflow output since I was all wrapped up on tracking down where these packets were coming in from. Right now packets with size of 1-32 account for about 50% of all traffic. Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: jhodge [mailto:[EMAIL PROTECTED]] Sent: Friday, December 27, 2002 4:34 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] Not sure if this will help, but you could enable ip accounting on the uplink interface to the switch. Watch for the address that is pouring out the most requests. Then use sho ip arp x.x.x.x to find the mac address. From there you could go to the switch and do a show cam dynamic or if IOS version, show mac-address-table with the mac address found with the most requests. This would hunt down the culprit machine without a person walking to each individual machine. Cheers, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sam Sneed Sent: December 27, 2002 1:04 PM To: [EMAIL PROTECTED] Subject: Re: Possible Attack [7:59813] Do you run SNMP and mrtg on theswitch? You can than graphically see which host has been pouring out all the traffic with ease. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks Priscilla. I figure it was some sort of spoofing which is what I > ended up reporting last night. The traffic on the edge router is under > controll. I was able to narrow down which VLAN on the switch it was coming > in on. There is someone going onsite this morning and we are going to work > on narrawing down the actual culprit PC. It should not be difficult to spot > by looking at the LED on the switch (I hope). The attack seems to come in > spurts but when it comes, I see anywhere from about 3000-15000 packets per > second that last about 10 seconds. The weird thing is that when I remove > the access-list that is currently filtering the 127 address, the attack last > much longer. It is almost like it knows that the access-list has been > removed. Since
RE: Possible Attack???? [7:59813]
Not sure if this will help, but you could enable ip accounting on the uplink interface to the switch. Watch for the address that is pouring out the most requests. Then use sho ip arp x.x.x.x to find the mac address. From there you could go to the switch and do a show cam dynamic or if IOS version, show mac-address-table with the mac address found with the most requests. This would hunt down the culprit machine without a person walking to each individual machine. Cheers, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sam Sneed Sent: December 27, 2002 1:04 PM To: [EMAIL PROTECTED] Subject: Re: Possible Attack [7:59813] Do you run SNMP and mrtg on theswitch? You can than graphically see which host has been pouring out all the traffic with ease. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks Priscilla. I figure it was some sort of spoofing which is what I > ended up reporting last night. The traffic on the edge router is under > controll. I was able to narrow down which VLAN on the switch it was coming > in on. There is someone going onsite this morning and we are going to work > on narrawing down the actual culprit PC. It should not be difficult to spot > by looking at the LED on the switch (I hope). The attack seems to come in > spurts but when it comes, I see anywhere from about 3000-15000 packets per > second that last about 10 seconds. The weird thing is that when I remove > the access-list that is currently filtering the 127 address, the attack last > much longer. It is almost like it knows that the access-list has been > removed. Since the traffic that I am filtering is not related to ICMP then > I know that I am not sending out any Unreachable message back to the source. > > > > > > Thanks, > > Mario Puras > SoluNet Technical Support > Mailto: [EMAIL PROTECTED] > Direct: (321) 309-1410 > 888.449.5766 (USA) / 888.SOLUNET (Canada) > > > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 26, 2002 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible Attack [7:59813] > > > Sending with a source address of 127.x.x.x is often used in IP spoofing. You > should try to find out which station is doing this. It could be compromised. > Of course, it will be hard to find, but if the packets haven't crossed a > router, the MAC address will have a clue. The first six bytes of the MAC > address are a vendor code. Of course, if all your equipment is from one > vendor, that doesn't help much! > > The destination address of 108.122.0.0 is strange also. I looked it up in > the ARIN Whois database and it says it's part of a range reserved by IANA. > I'm not sure why it's reserved, but it seems like a suspicious address to > use. > > So, you're doing the right thing to filter out these packets. > > But you said the problem remained. The other thing I noticed that's strange > is probably unrelated to a possible attack. > > Why are 75% of your packets in the 1-32 byte range? Those are illegal runt > frames on Ethernet. Could you have a duplex mismatch problem?? You should > check the output of show int Fa0/1. > > Good luck! > > Priscilla > > [EMAIL PROTECTED] wrote: > > > > Hi all. I was wondering if someone can share some light on a > > wierd issues > > that I am seeing. This perhaps maybe an attack from an > > internal or infected > > host within the network or simply a malfunctioning NIC. > > Basically, I have a > > Cisco 3662 with 2 Satellite links. I noticed that the main WAN > > link > > (1.544mb) was bursting outbound to sometimes 20mb. I noticed a > > lot of > > output drops and the links started to flap and as a result BGP > > sessions > > starting going down causing huge problems. Once I was able to > > get the BGP > > under control, I enabled Netflow on the inbound interface > > (FE0/1) to see > > what type of traffic could be causing this issue and this is > > when I noticed > > the below: > > > > > > Here is the output of the Netflow: > > > > cisco_3600_one#show ip cache flow > > IP packet size distribution (4096357 total packets): > >1-32 64 96 128 160 192 224 256 288 320 352 384 > > 416 448 > > 480 > >.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 > > .000 .000 > > .000 > > > > 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 > >.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 > > > > IP Flow Switching Cache, 278544 bytes > > 978 active, 3118 inac
Re: Possible Attack???? [7:59813]
Do you run SNMP and mrtg on theswitch? You can than graphically see which host has been pouring out all the traffic with ease. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks Priscilla. I figure it was some sort of spoofing which is what I > ended up reporting last night. The traffic on the edge router is under > controll. I was able to narrow down which VLAN on the switch it was coming > in on. There is someone going onsite this morning and we are going to work > on narrawing down the actual culprit PC. It should not be difficult to spot > by looking at the LED on the switch (I hope). The attack seems to come in > spurts but when it comes, I see anywhere from about 3000-15000 packets per > second that last about 10 seconds. The weird thing is that when I remove > the access-list that is currently filtering the 127 address, the attack last > much longer. It is almost like it knows that the access-list has been > removed. Since the traffic that I am filtering is not related to ICMP then > I know that I am not sending out any Unreachable message back to the source. > > > > > > Thanks, > > Mario Puras > SoluNet Technical Support > Mailto: [EMAIL PROTECTED] > Direct: (321) 309-1410 > 888.449.5766 (USA) / 888.SOLUNET (Canada) > > > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 26, 2002 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible Attack [7:59813] > > > Sending with a source address of 127.x.x.x is often used in IP spoofing. You > should try to find out which station is doing this. It could be compromised. > Of course, it will be hard to find, but if the packets haven't crossed a > router, the MAC address will have a clue. The first six bytes of the MAC > address are a vendor code. Of course, if all your equipment is from one > vendor, that doesn't help much! > > The destination address of 108.122.0.0 is strange also. I looked it up in > the ARIN Whois database and it says it's part of a range reserved by IANA. > I'm not sure why it's reserved, but it seems like a suspicious address to > use. > > So, you're doing the right thing to filter out these packets. > > But you said the problem remained. The other thing I noticed that's strange > is probably unrelated to a possible attack. > > Why are 75% of your packets in the 1-32 byte range? Those are illegal runt > frames on Ethernet. Could you have a duplex mismatch problem?? You should > check the output of show int Fa0/1. > > Good luck! > > Priscilla > > [EMAIL PROTECTED] wrote: > > > > Hi all. I was wondering if someone can share some light on a > > wierd issues > > that I am seeing. This perhaps maybe an attack from an > > internal or infected > > host within the network or simply a malfunctioning NIC. > > Basically, I have a > > Cisco 3662 with 2 Satellite links. I noticed that the main WAN > > link > > (1.544mb) was bursting outbound to sometimes 20mb. I noticed a > > lot of > > output drops and the links started to flap and as a result BGP > > sessions > > starting going down causing huge problems. Once I was able to > > get the BGP > > under control, I enabled Netflow on the inbound interface > > (FE0/1) to see > > what type of traffic could be causing this issue and this is > > when I noticed > > the below: > > > > > > Here is the output of the Netflow: > > > > cisco_3600_one#show ip cache flow > > IP packet size distribution (4096357 total packets): > >1-32 64 96 128 160 192 224 256 288 320 352 384 > > 416 448 > > 480 > >.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 > > .000 .000 > > .000 > > > > 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 > >.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 > > > > IP Flow Switching Cache, 278544 bytes > > 978 active, 3118 inactive, 121929 added > > 2503952 ager polls, 0 flow alloc failures > > last clearing of statistics never > > Protocol TotalFlows Packets Bytes Packets > > Active(Sec) > > Idle(Sec) > > Flows /Sec /Flow /Pkt /Sec > > /Flow /Flow > > TCP-Telnet 41 0.05040 0.0 > > 31.3 14.4 > > TCP-FTP 87 0.0 765 0.0 > > 17.0 12.1 > > TCP-FTPD27 0.0 135 211 0.0 > > 83.0 3.5 > > TCP-WWW 43121 0.3 8 335 2.8 > > 3.
RE: Possible Attack???? [7:59813]
[EMAIL PROTECTED] wrote: > > Thanks Priscilla. I figure it was some sort of spoofing which > is what I > ended up reporting last night. The traffic on the edge router > is under > controll. I was able to narrow down which VLAN on the switch > it was coming > in on. There is someone going onsite this morning and we are > going to work > on narrawing down the actual culprit PC. It should not be > difficult to spot > by looking at the LED on the switch (I hope). The attack seems > to come in > spurts but when it comes, I see anywhere from about 3000-15000 > packets per > second that last about 10 seconds. The weird thing is that > when I remove > the access-list that is currently filtering the 127 address, > the attack last > much longer. It is almost like it knows that the access-list > has been > removed. That is weird. You would have to put a sniffer on it to see if there's an explanation. > Since the traffic that I am filtering is not related > to ICMP then > I know that I am not sending out any Unreachable message back > to the source. You could still be sending Unreachable or some other ICMP messages. ICMP messages can go out in response to any packet. They don't just go out in response to ICMP packets, if that's what you meant by your comment. In fact, there's a good chance you are sending Type 3, Code 13 ICMP messages (Administratively Prohibited) when you have the access list enabled. Of course, they would be sent back to 127.x.x.x, so they might not work, though?! :-) So that woudn't explain the host backing off... I wanted to mention one more thing. In my previous message I was concerned about all the packets that were 1-32 bytes. I said those would be illegal Ethernet runts. I'm guessing that Ethernet isn't actually relevant here, though. I bet the Ethernet header has been stripped off by this point. Also any padding that Ethernet added to make it a legal length has been stripped off. The info reported by "show ip cache flow" is probably from IP's point of view. In that case a packet that was 32 bytes long would be legitimate. It could be a 20-byte IP header and a 12 byte ICMP message, in fact. You might want to find out what they are. I stick to my original overall comment that having 75% of your packets being that small is weird. Does anyone know for sure if "show ip cache flow" reports packet sizes after the data-link-layer header has been stripped?? I couldn't find an answer on Cisco's site. Good luck finding the culprit! Let us know how it goes. Thanks. Priscilla > > > > > > Thanks, > > Mario Puras > SoluNet Technical Support > Mailto: [EMAIL PROTECTED] > Direct: (321) 309-1410 > 888.449.5766 (USA) / 888.SOLUNET (Canada) > > > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 26, 2002 10:57 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible Attack [7:59813] > > > Sending with a source address of 127.x.x.x is often used in IP > spoofing. You > should try to find out which station is doing this. It could be > compromised. > Of course, it will be hard to find, but if the packets haven't > crossed a > router, the MAC address will have a clue. The first six bytes > of the MAC > address are a vendor code. Of course, if all your equipment is > from one > vendor, that doesn't help much! > > The destination address of 108.122.0.0 is strange also. I > looked it up in > the ARIN Whois database and it says it's part of a range > reserved by IANA. > I'm not sure why it's reserved, but it seems like a suspicious > address to > use. > > So, you're doing the right thing to filter out these packets. > > But you said the problem remained. The other thing I noticed > that's strange > is probably unrelated to a possible attack. > > Why are 75% of your packets in the 1-32 byte range? Those are > illegal runt > frames on Ethernet. Could you have a duplex mismatch problem?? > You should > check the output of show int Fa0/1. > > Good luck! > > Priscilla > > [EMAIL PROTECTED] wrote: > > > > Hi all. I was wondering if someone can share some light on a > > wierd issues > > that I am seeing. This perhaps maybe an attack from an > > internal or infected > > host within the network or simply a malfunctioning NIC. > > Basically, I have a > > Cisco 3662 with 2 Satellite links. I noticed that the main > WAN > > link > > (1.544mb) was bursting outbound to sometimes 20mb. I noticed > a > > lot of > > output drops and the links started to flap and as a result BGP > > sess
RE: Possible Attack???? [7:59813]
Thanks Priscilla. I figure it was some sort of spoofing which is what I ended up reporting last night. The traffic on the edge router is under controll. I was able to narrow down which VLAN on the switch it was coming in on. There is someone going onsite this morning and we are going to work on narrawing down the actual culprit PC. It should not be difficult to spot by looking at the LED on the switch (I hope). The attack seems to come in spurts but when it comes, I see anywhere from about 3000-15000 packets per second that last about 10 seconds. The weird thing is that when I remove the access-list that is currently filtering the 127 address, the attack last much longer. It is almost like it knows that the access-list has been removed. Since the traffic that I am filtering is not related to ICMP then I know that I am not sending out any Unreachable message back to the source. Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 26, 2002 10:57 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] Sending with a source address of 127.x.x.x is often used in IP spoofing. You should try to find out which station is doing this. It could be compromised. Of course, it will be hard to find, but if the packets haven't crossed a router, the MAC address will have a clue. The first six bytes of the MAC address are a vendor code. Of course, if all your equipment is from one vendor, that doesn't help much! The destination address of 108.122.0.0 is strange also. I looked it up in the ARIN Whois database and it says it's part of a range reserved by IANA. I'm not sure why it's reserved, but it seems like a suspicious address to use. So, you're doing the right thing to filter out these packets. But you said the problem remained. The other thing I noticed that's strange is probably unrelated to a possible attack. Why are 75% of your packets in the 1-32 byte range? Those are illegal runt frames on Ethernet. Could you have a duplex mismatch problem?? You should check the output of show int Fa0/1. Good luck! Priscilla [EMAIL PROTECTED] wrote: > > Hi all. I was wondering if someone can share some light on a > wierd issues > that I am seeing. This perhaps maybe an attack from an > internal or infected > host within the network or simply a malfunctioning NIC. > Basically, I have a > Cisco 3662 with 2 Satellite links. I noticed that the main WAN > link > (1.544mb) was bursting outbound to sometimes 20mb. I noticed a > lot of > output drops and the links started to flap and as a result BGP > sessions > starting going down causing huge problems. Once I was able to > get the BGP > under control, I enabled Netflow on the inbound interface > (FE0/1) to see > what type of traffic could be causing this issue and this is > when I noticed > the below: > > > Here is the output of the Netflow: > > cisco_3600_one#show ip cache flow > IP packet size distribution (4096357 total packets): >1-32 64 96 128 160 192 224 256 288 320 352 384 > 416 448 > 480 >.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 > .000 .000 > .000 > > 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 >.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 > > IP Flow Switching Cache, 278544 bytes > 978 active, 3118 inactive, 121929 added > 2503952 ager polls, 0 flow alloc failures > last clearing of statistics never > Protocol TotalFlows Packets Bytes Packets > Active(Sec) > Idle(Sec) > Flows /Sec /Flow /Pkt /Sec > /Flow /Flow > TCP-Telnet 41 0.05040 0.0 > 31.3 14.4 > TCP-FTP 87 0.0 765 0.0 > 17.0 12.1 > TCP-FTPD27 0.0 135 211 0.0 > 83.0 3.5 > TCP-WWW 43121 0.3 8 335 2.8 > 3.6 2.7 > TCP-SMTP 1137 0.0 6 173 0.0 > 9.8 9.7 > TCP-BGP 1 0.0 67368 0.0 > 1796.8 3.6 > TCP-Frag 2 0.0 140 0.0 > 0.0 15.5 > TCP-other33285 0.214 246 3.7 > 24.0 10.3 > UDP-DNS 6005 0.0 173 0.0 > 1.3 15.4 > UDP-NTP 10 0.0 176 0.0 > 0.0 15.4 > UDP-other13772 0.1 678 0.7 > 1.2 15.5 > ICMP 2904 0.0 372 0.0 > 19.1 15.4 &g
RE: Possible Attack???? [7:59813]
Sending with a source address of 127.x.x.x is often used in IP spoofing. You should try to find out which station is doing this. It could be compromised. Of course, it will be hard to find, but if the packets haven't crossed a router, the MAC address will have a clue. The first six bytes of the MAC address are a vendor code. Of course, if all your equipment is from one vendor, that doesn't help much! The destination address of 108.122.0.0 is strange also. I looked it up in the ARIN Whois database and it says it's part of a range reserved by IANA. I'm not sure why it's reserved, but it seems like a suspicious address to use. So, you're doing the right thing to filter out these packets. But you said the problem remained. The other thing I noticed that's strange is probably unrelated to a possible attack. Why are 75% of your packets in the 1-32 byte range? Those are illegal runt frames on Ethernet. Could you have a duplex mismatch problem?? You should check the output of show int Fa0/1. Good luck! Priscilla [EMAIL PROTECTED] wrote: > > Hi all. I was wondering if someone can share some light on a > wierd issues > that I am seeing. This perhaps maybe an attack from an > internal or infected > host within the network or simply a malfunctioning NIC. > Basically, I have a > Cisco 3662 with 2 Satellite links. I noticed that the main WAN > link > (1.544mb) was bursting outbound to sometimes 20mb. I noticed a > lot of > output drops and the links started to flap and as a result BGP > sessions > starting going down causing huge problems. Once I was able to > get the BGP > under control, I enabled Netflow on the inbound interface > (FE0/1) to see > what type of traffic could be causing this issue and this is > when I noticed > the below: > > > Here is the output of the Netflow: > > cisco_3600_one#show ip cache flow > IP packet size distribution (4096357 total packets): >1-32 64 96 128 160 192 224 256 288 320 352 384 > 416 448 > 480 >.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 > .000 .000 > .000 > > 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 >.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 > > IP Flow Switching Cache, 278544 bytes > 978 active, 3118 inactive, 121929 added > 2503952 ager polls, 0 flow alloc failures > last clearing of statistics never > Protocol TotalFlows Packets Bytes Packets > Active(Sec) > Idle(Sec) > Flows /Sec /Flow /Pkt /Sec > /Flow /Flow > TCP-Telnet 41 0.05040 0.0 > 31.3 14.4 > TCP-FTP 87 0.0 765 0.0 > 17.0 12.1 > TCP-FTPD27 0.0 135 211 0.0 > 83.0 3.5 > TCP-WWW 43121 0.3 8 335 2.8 > 3.6 2.7 > TCP-SMTP 1137 0.0 6 173 0.0 > 9.8 9.7 > TCP-BGP 1 0.0 67368 0.0 > 1796.8 3.6 > TCP-Frag 2 0.0 140 0.0 > 0.0 15.5 > TCP-other33285 0.214 246 3.7 > 24.0 10.3 > UDP-DNS 6005 0.0 173 0.0 > 1.3 15.4 > UDP-NTP 10 0.0 176 0.0 > 0.0 15.4 > UDP-other13772 0.1 678 0.7 > 1.2 15.5 > ICMP 2904 0.0 372 0.0 > 19.1 15.4 > IP-other 20559 0.1 14820 24.5 > 6.8 15.4 > Total: 120951 0.93376 32.2 > 9.9 9.4 > > > . > . > . > SrcIf SrcIPaddressDstIf DstIPaddressPr > SrcP DstP > Pkts > Fa0/1 127.0.0.124 Se1/2.500 108.122.0.0 00 > > 285 > Fa0/1 127.0.0.125 Se1/2.500 108.122.0.0 00 > > 38 > Fa0/1 127.0.0.122 Se1/2.500 108.122.0.0 00 > > 35 > Fa0/1 127.0.0.123 Se1/2.500 108.122.0.0 00 > > 296 > Fa0/1 127.0.0.120 Se1/2.500 108.122.0.0 00 > > 33 > Fa0/1 127.0.0.121 Se1/2.500 108.122.0.0 00 > > 36 > Fa0/1 127.0.0.118 Se1/2.500 108.122.0.0 00 > > 52 > Fa0/1 127.0.0.116 Se1/2.500 108.122.0.0 00 > > 189 > Fa0/1 127.0.0.117 Se1/2.500 108.122.0.0 00 > > 277 > Fa0/1 127.0.0.114 Se1/2.500 108.122.0.0 00 > > 32 > Fa0/1 127.0
Possible Attack???? [7:59813]
Hi all. I was wondering if someone can share some light on a wierd issues that I am seeing. This perhaps maybe an attack from an internal or infected host within the network or simply a malfunctioning NIC. Basically, I have a Cisco 3662 with 2 Satellite links. I noticed that the main WAN link (1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of output drops and the links started to flap and as a result BGP sessions starting going down causing huge problems. Once I was able to get the BGP under control, I enabled Netflow on the inbound interface (FE0/1) to see what type of traffic could be causing this issue and this is when I noticed the below: Here is the output of the Netflow: cisco_3600_one#show ip cache flow IP packet size distribution (4096357 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 978 active, 3118 inactive, 121929 added 2503952 ager polls, 0 flow alloc failures last clearing of statistics never Protocol TotalFlows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.05040 0.0 31.3 14.4 TCP-FTP 87 0.0 765 0.0 17.0 12.1 TCP-FTPD27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7 TCP-BGP 1 0.0 67368 0.01796.8 3.6 TCP-Frag 2 0.0 140 0.0 0.0 15.5 TCP-other33285 0.214 246 3.7 24.0 10.3 UDP-DNS 6005 0.0 173 0.0 1.3 15.4 UDP-NTP 10 0.0 176 0.0 0.0 15.4 UDP-other13772 0.1 678 0.7 1.2 15.5 ICMP 2904 0.0 372 0.0 19.1 15.4 IP-other 20559 0.1 14820 24.5 6.8 15.4 Total: 120951 0.93376 32.2 9.9 9.4 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ack attack or config prob? [7:56341]
Hi Garrett, There are two DOS attacks that I know of that use ACKS called stream.c and raped.c, the stream.c sends ACK packets to the target with random sequence numbers and source IP's. The raped.c sends ACKs with spoofed source IP's but I believe the sequence numbers are the same. C - Original Message - From: "Garrett Allen" To: Sent: Sunday, October 27, 2002 3:14 AM Subject: Re: ack attack or config prob? [7:56341] > the filter doesn't like special characters. sorry. here is another try > without the less than symbol: > > priscilla, > > the bursts were less than 2mins each in duration as i recall. they occurred > sporatically through the day. i have traces and i'll look for more precise > timeframes later tonite. within each burst the packets were from the same > ip address. there were at least 2 unique non-contiguous ip addresses > involved and 1 repeated a burst at least once that we tracked (i.e. at least > 2 bursts of 100k packets). > > the trace reveals acks and fin acks; no syn or syn ack's noted (my reference > to syn acks in the prior email was the only reference i could find on the ms > site that discussed their retry implementation, which could cause this if it > was unlimited). firewalls are in place which is why i was going down the > path of a misconfiguration on our servers. in theory the firewall vendor > states that the firewall is doing a stateful inspection and we did see some > evidence of packets being dropped at the firewall - but not all. if the > session was not previously opened the firewall should drop the ack and fin > ack's as they are not a valid start of session transmission. each burst > contained the same sequence and ack numbers. > > i wondered at first if it was our servers that was initiating this behavior > pattern. we did reboot the servers. urban legend has it (i.e. my neighbor > has a friend whose wife's cousin said ...) that unexpected terminations of > outlook web access can cause this kind of behavior to occur, but it is just > legend. an examination of the trace doesn't point in that direction but i > need to spend more time reviewing them. and the problem reoccurred after > the reboots. > > like i said i think it is an interesting issue because there are so many > possibilities and it forces one to think about all the many things that can > go wrong. > > thanks for your insights and thoughtful questions. > > - Original Message - > From: "Garrett Allen" > To: > Sent: Saturday, October 26, 2002 9:59 PM > Subject: Re: ack attack or config prob? [7:56341] > > > > priscilla, > > > > the bursts were > > To: > > Sent: Saturday, October 26, 2002 7:40 PM > > Subject: RE: ack attack or config prob? [7:56341] > > > > > > > It sounds like you were under attack, though it's hard to say for sure. > I > > > doubt that it's a misconfig on your end, though. It could be a misconfig > > at > > > the other server, but probably not. I don't think you can set the > > parameters > > > that badly!? :-) > > > > > > It sounds like a DoS attack because of the volume of 100,000 packets. > > What's > > > the timeframe, though? You said "burst" so I assume pretty quick. > > > > > > Did the problem happen just once or has it reoccured? > > > > > > What do any relevant logs show? Do you have a firewall or Intrusion > > > Detection System that logs info? How about the server itself? Does it > show > > > anything in its log? > > > > > > Were all the packets to the server? > > > > > > Were they ACKs or SYN ACKs? You mentioned both. > > > > > > Were they in response to something your server sent? > > > > > > Were they always the same ACK number? > > > > > > What were the port numbers? You mentioned e-mail, so were the packets to > > > port 25 for SMTP? SMTP implementations used to have many security flaws. > > > Hopefully those would be fixed in a modern OS, but you never know. > > > > > > Usually, DoS attacks are SYNs, but there are probably ones that use ACKs > > or > > > SYN ACKs too. A search on Google might reveal more info. > > > > > > Anyway, I think you did the right thing by getting the ISP security > folks > > > involved. Keep us posted, unless they recommend that you keep it quiet. > > > > > > ___ > > > > > > Priscilla Oppenheimer > > > www.troubleshootingnetworks.com > > > www.priscilla.com &g
Re: ack attack or config prob? [7:56341]
the filter doesn't like special characters. sorry. here is another try without the less than symbol: priscilla, the bursts were less than 2mins each in duration as i recall. they occurred sporatically through the day. i have traces and i'll look for more precise timeframes later tonite. within each burst the packets were from the same ip address. there were at least 2 unique non-contiguous ip addresses involved and 1 repeated a burst at least once that we tracked (i.e. at least 2 bursts of 100k packets). the trace reveals acks and fin acks; no syn or syn ack's noted (my reference to syn acks in the prior email was the only reference i could find on the ms site that discussed their retry implementation, which could cause this if it was unlimited). firewalls are in place which is why i was going down the path of a misconfiguration on our servers. in theory the firewall vendor states that the firewall is doing a stateful inspection and we did see some evidence of packets being dropped at the firewall - but not all. if the session was not previously opened the firewall should drop the ack and fin ack's as they are not a valid start of session transmission. each burst contained the same sequence and ack numbers. i wondered at first if it was our servers that was initiating this behavior pattern. we did reboot the servers. urban legend has it (i.e. my neighbor has a friend whose wife's cousin said ...) that unexpected terminations of outlook web access can cause this kind of behavior to occur, but it is just legend. an examination of the trace doesn't point in that direction but i need to spend more time reviewing them. and the problem reoccurred after the reboots. like i said i think it is an interesting issue because there are so many possibilities and it forces one to think about all the many things that can go wrong. thanks for your insights and thoughtful questions. - Original Message - From: "Garrett Allen" To: Sent: Saturday, October 26, 2002 9:59 PM Subject: Re: ack attack or config prob? [7:56341] > priscilla, > > the bursts were > To: > Sent: Saturday, October 26, 2002 7:40 PM > Subject: RE: ack attack or config prob? [7:56341] > > > > It sounds like you were under attack, though it's hard to say for sure. I > > doubt that it's a misconfig on your end, though. It could be a misconfig > at > > the other server, but probably not. I don't think you can set the > parameters > > that badly!? :-) > > > > It sounds like a DoS attack because of the volume of 100,000 packets. > What's > > the timeframe, though? You said "burst" so I assume pretty quick. > > > > Did the problem happen just once or has it reoccured? > > > > What do any relevant logs show? Do you have a firewall or Intrusion > > Detection System that logs info? How about the server itself? Does it show > > anything in its log? > > > > Were all the packets to the server? > > > > Were they ACKs or SYN ACKs? You mentioned both. > > > > Were they in response to something your server sent? > > > > Were they always the same ACK number? > > > > What were the port numbers? You mentioned e-mail, so were the packets to > > port 25 for SMTP? SMTP implementations used to have many security flaws. > > Hopefully those would be fixed in a modern OS, but you never know. > > > > Usually, DoS attacks are SYNs, but there are probably ones that use ACKs > or > > SYN ACKs too. A search on Google might reveal more info. > > > > Anyway, I think you did the right thing by getting the ISP security folks > > involved. Keep us posted, unless they recommend that you keep it quiet. > > > > ___ > > > > Priscilla Oppenheimer > > www.troubleshootingnetworks.com > > www.priscilla.com > > > > Garrett Allen wrote: > > > > > > heys, > > > > > > ran into something interesting today. not sure if it is a dos > > > attack or if it > > > indicates an ip stack misconfig. here is the symptom: > > > > > > periodically through the day today we received 100,000 packet > > > bursts on a t-1 > > > circuit. this is a name-brand provider. when the burst occurs > > > it is from the > > > same ip address. on some bursts the packets are all acks. on > > > others they are > > > all fin acks. they are directed at our email servers. when > > > they occur the > > > packets in a burst are all sourced from the same ip address. > > > in the one case > > > where we resolved the ip address back it was another orgs email > > > server. base
Re: ack attack or config prob? [7:56341]
priscilla, the bursts were To: Sent: Saturday, October 26, 2002 7:40 PM Subject: RE: ack attack or config prob? [7:56341] > It sounds like you were under attack, though it's hard to say for sure. I > doubt that it's a misconfig on your end, though. It could be a misconfig at > the other server, but probably not. I don't think you can set the parameters > that badly!? :-) > > It sounds like a DoS attack because of the volume of 100,000 packets. What's > the timeframe, though? You said "burst" so I assume pretty quick. > > Did the problem happen just once or has it reoccured? > > What do any relevant logs show? Do you have a firewall or Intrusion > Detection System that logs info? How about the server itself? Does it show > anything in its log? > > Were all the packets to the server? > > Were they ACKs or SYN ACKs? You mentioned both. > > Were they in response to something your server sent? > > Were they always the same ACK number? > > What were the port numbers? You mentioned e-mail, so were the packets to > port 25 for SMTP? SMTP implementations used to have many security flaws. > Hopefully those would be fixed in a modern OS, but you never know. > > Usually, DoS attacks are SYNs, but there are probably ones that use ACKs or > SYN ACKs too. A search on Google might reveal more info. > > Anyway, I think you did the right thing by getting the ISP security folks > involved. Keep us posted, unless they recommend that you keep it quiet. > > ___ > > Priscilla Oppenheimer > www.troubleshootingnetworks.com > www.priscilla.com > > Garrett Allen wrote: > > > > heys, > > > > ran into something interesting today. not sure if it is a dos > > attack or if it > > indicates an ip stack misconfig. here is the symptom: > > > > periodically through the day today we received 100,000 packet > > bursts on a t-1 > > circuit. this is a name-brand provider. when the burst occurs > > it is from the > > same ip address. on some bursts the packets are all acks. on > > others they are > > all fin acks. they are directed at our email servers. when > > they occur the > > packets in a burst are all sourced from the same ip address. > > in the one case > > where we resolved the ip address back it was another orgs email > > server. based > > on the router interface stats the traffic is coming from the > > outside and is > > not an internal broadcast storm. > > > > per the ms site, "A default-configured Windows NT 3.5x or 4.0 > > computer will > > retransmit the SYN-ACK 5 times, doubling the time-out value > > after each > > retransmission." if the same logic holds for other parts of > > the handshake > > then i'm at a loss to explain tens of thousands of packets > > unless it is an > > exploit of a weakness in the stack that allows for virtually > > unlimited > > retries. > > > > anyone run into this kind of situation before and was the > > resolution a service > > pack or other such server upgrade? it caused considerable > > slowness on > > external accesses as you might imagine. i grabbed a number of > > traces > > documenting it and we did contact our provider (they opened a > > ticket with > > their security folk). > > > > thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56369&t=56341 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ack attack or config prob? [7:56341]
It sounds like you were under attack, though it's hard to say for sure. I doubt that it's a misconfig on your end, though. It could be a misconfig at the other server, but probably not. I don't think you can set the parameters that badly!? :-) It sounds like a DoS attack because of the volume of 100,000 packets. What's the timeframe, though? You said "burst" so I assume pretty quick. Did the problem happen just once or has it reoccured? What do any relevant logs show? Do you have a firewall or Intrusion Detection System that logs info? How about the server itself? Does it show anything in its log? Were all the packets to the server? Were they ACKs or SYN ACKs? You mentioned both. Were they in response to something your server sent? Were they always the same ACK number? What were the port numbers? You mentioned e-mail, so were the packets to port 25 for SMTP? SMTP implementations used to have many security flaws. Hopefully those would be fixed in a modern OS, but you never know. Usually, DoS attacks are SYNs, but there are probably ones that use ACKs or SYN ACKs too. A search on Google might reveal more info. Anyway, I think you did the right thing by getting the ISP security folks involved. Keep us posted, unless they recommend that you keep it quiet. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Garrett Allen wrote: > > heys, > > ran into something interesting today. not sure if it is a dos > attack or if it > indicates an ip stack misconfig. here is the symptom: > > periodically through the day today we received 100,000 packet > bursts on a t-1 > circuit. this is a name-brand provider. when the burst occurs > it is from the > same ip address. on some bursts the packets are all acks. on > others they are > all fin acks. they are directed at our email servers. when > they occur the > packets in a burst are all sourced from the same ip address. > in the one case > where we resolved the ip address back it was another orgs email > server. based > on the router interface stats the traffic is coming from the > outside and is > not an internal broadcast storm. > > per the ms site, "A default-configured Windows NT 3.5x or 4.0 > computer will > retransmit the SYN-ACK 5 times, doubling the time-out value > after each > retransmission." if the same logic holds for other parts of > the handshake > then i'm at a loss to explain tens of thousands of packets > unless it is an > exploit of a weakness in the stack that allows for virtually > unlimited > retries. > > anyone run into this kind of situation before and was the > resolution a service > pack or other such server upgrade? it caused considerable > slowness on > external accesses as you might imagine. i grabbed a number of > traces > documenting it and we did contact our provider (they opened a > ticket with > their security folk). > > thanks. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56365&t=56341 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ack attack or config prob? [7:56341]
mark, will keep you informed when we do hear from the vendors security folk. as an aside ethereal (a really great lil' analyzer freely available for download) had no problem keeping up with the data volumes - but do configure it with various address translations turned off or it will appear to hang when dealing with these data volumes. we are on exchange 5.5 / nt 4 running the latest service packs. the ms web site is generally good for technical info but i've not found anything on this particular set of symptoms which is why i question whether it is an exploit or a misconfig. thanks. - Original Message - From: "Mark W. Odette II" To: Sent: Saturday, October 26, 2002 3:41 PM Subject: RE: ack attack or config prob? [7:56341] > I don't have an answer to your question, though it does sound like a DoS > attack to me... > > My only input is that if you are running NT 4.0 Servers, definitely > ensure they are running Service Pack 6a, which you can get from MS's > site. Also, if you are running Exchange, make sure you have SP 4 > installed, as it fixes several issues relating to some critical Exchange > functions. For more info, review the release notes for both service > packs before installing. > > Let us know what the ISP's security folks find... this would be an > interesting learning experience. > > -Mark > -Original Message- > From: Garrett Allen [mailto:garrett.allen@;erols.com] > Sent: Friday, October 25, 2002 10:51 PM > To: [EMAIL PROTECTED] > Subject: ack attack or config prob? [7:56341] > > heys, > > ran into something interesting today. not sure if it is a dos attack or > if > it > indicates an ip stack misconfig. here is the symptom: > > periodically through the day today we received 100,000 packet bursts on > a t-1 > circuit. this is a name-brand provider. when the burst occurs it is > from > the > same ip address. on some bursts the packets are all acks. on others > they > are > all fin acks. they are directed at our email servers. when they occur > the > packets in a burst are all sourced from the same ip address. in the one > case > where we resolved the ip address back it was another orgs email server. > based > on the router interface stats the traffic is coming from the outside and > is > not an internal broadcast storm. > > per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer > will > retransmit the SYN-ACK 5 times, doubling the time-out value after each > retransmission." if the same logic holds for other parts of the > handshake > then i'm at a loss to explain tens of thousands of packets unless it is > an > exploit of a weakness in the stack that allows for virtually unlimited > retries. > > anyone run into this kind of situation before and was the resolution a > service > pack or other such server upgrade? it caused considerable slowness on > external accesses as you might imagine. i grabbed a number of traces > documenting it and we did contact our provider (they opened a ticket > with > their security folk). > > thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56362&t=56341 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ack attack or config prob? [7:56341]
I don't have an answer to your question, though it does sound like a DoS attack to me... My only input is that if you are running NT 4.0 Servers, definitely ensure they are running Service Pack 6a, which you can get from MS's site. Also, if you are running Exchange, make sure you have SP 4 installed, as it fixes several issues relating to some critical Exchange functions. For more info, review the release notes for both service packs before installing. Let us know what the ISP's security folks find... this would be an interesting learning experience. -Mark -Original Message- From: Garrett Allen [mailto:garrett.allen@;erols.com] Sent: Friday, October 25, 2002 10:51 PM To: [EMAIL PROTECTED] Subject: ack attack or config prob? [7:56341] heys, ran into something interesting today. not sure if it is a dos attack or if it indicates an ip stack misconfig. here is the symptom: periodically through the day today we received 100,000 packet bursts on a t-1 circuit. this is a name-brand provider. when the burst occurs it is from the same ip address. on some bursts the packets are all acks. on others they are all fin acks. they are directed at our email servers. when they occur the packets in a burst are all sourced from the same ip address. in the one case where we resolved the ip address back it was another orgs email server. based on the router interface stats the traffic is coming from the outside and is not an internal broadcast storm. per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission." if the same logic holds for other parts of the handshake then i'm at a loss to explain tens of thousands of packets unless it is an exploit of a weakness in the stack that allows for virtually unlimited retries. anyone run into this kind of situation before and was the resolution a service pack or other such server upgrade? it caused considerable slowness on external accesses as you might imagine. i grabbed a number of traces documenting it and we did contact our provider (they opened a ticket with their security folk). thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56360&t=56341 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ack attack or config prob? [7:56341]
heys, ran into something interesting today. not sure if it is a dos attack or if it indicates an ip stack misconfig. here is the symptom: periodically through the day today we received 100,000 packet bursts on a t-1 circuit. this is a name-brand provider. when the burst occurs it is from the same ip address. on some bursts the packets are all acks. on others they are all fin acks. they are directed at our email servers. when they occur the packets in a burst are all sourced from the same ip address. in the one case where we resolved the ip address back it was another orgs email server. based on the router interface stats the traffic is coming from the outside and is not an internal broadcast storm. per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission." if the same logic holds for other parts of the handshake then i'm at a loss to explain tens of thousands of packets unless it is an exploit of a weakness in the stack that allows for virtually unlimited retries. anyone run into this kind of situation before and was the resolution a service pack or other such server upgrade? it caused considerable slowness on external accesses as you might imagine. i grabbed a number of traces documenting it and we did contact our provider (they opened a ticket with their security folk). thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56341&t=56341 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Virus Attack and how to tackle it? [7:44936]
You look this page from Cisco. http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml I hope this help. -- -- Alfredo Pulido [EMAIL PROTECTED] CCDA Dept. Sistemas, IdecNet S.A. Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria, Las Palmas // SPAIN Tel: +34 828 111 000 Fax: +34 828 111 112 http://www.idecnet.com/ -- ""a. ahmad"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear Members, > > 1-We are getting Virus attack message on our proxy(Squid)Machine not only > from our own IP Pool but also from outside, Please guide how to tackle it as > it is constantly chocking our Bandwidth. i.e. one of the virus attack > message we are getting on our proxy(squid) machine is as under:- > > 106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get > http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? - > DIRECT/www - > > 106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get > http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1 c../winnt/system32/cmd.exe? - DIRECT/www - > > 106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get > http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www - > > 106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get > http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www - > > 106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get > http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www - > > ...etc etc > > 2- we want to trace that which IP's are utilizing our maximum bandwidtth so > that we can limit that trafiic accordingly in order to get Maximum efficiency? > > Thank you in advance! > Ahmad Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44939&t=44936 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Virus Attack and how to tackle it? [7:44936]
Hi, This is a trace of Nimda and code Red wormFirst thing you can do is Run a Nimda/code Red scanner in your network and then Apply IIS patch for all the affected Microsoft Server.Also you can secure your Network perimeter by configuring NBAR on cisco routers or if you have a content switch you can try filtering Nimda on that...or if you have an IDS,you can configure shunning the source. Kind Regards /Thangavel 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall ." -- Nelson Mandela "a. ahmad" cc: Sent by: Fax to: nobody@groupsSubject: Virus Attack and how to tackle it? [7:44936] tudy.com 24/05/2002 08:16 Please respond to "a. ahmad" Dear Members, 1-We are getting Virus attack message on our proxy(Squid)Machine not only from our own IP Pool but also from outside, Please guide how to tackle it as it is constantly chocking our Bandwidth. i.e. one of the virus attack message we are getting on our proxy(squid) machine is as under:- 106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? - DIRECT/www - 106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www - 106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www - 106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www - 106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www - ...etc etc 2- we want to trace that which IP's are utilizing our maximum bandwidtth so that we can limit that trafiic accordingly in order to get Maximum efficiency? Thank you in advance! Ahmad ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England & Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44938&t=44936 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Virus Attack and how to tackle it? [7:44936]
Dear Members, 1-We are getting Virus attack message on our proxy(Squid)Machine not only from our own IP Pool but also from outside, Please guide how to tackle it as it is constantly chocking our Bandwidth. i.e. one of the virus attack message we are getting on our proxy(squid) machine is as under:- 106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? - DIRECT/www - 106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www - 106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www - 106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www - 106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www - ...etc etc 2- we want to trace that which IP's are utilizing our maximum bandwidtth so that we can limit that trafiic accordingly in order to get Maximum efficiency? Thank you in advance! Ahmad Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44936&t=44936 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: info on virus attack [7:37798]
Hi Paul, Sorry, I neglected to defend the group there, but you are of course correct. The virus was always direct to me, not through your server. It's never normally a problem, just clean or delete, I just messed up and used my work e-mail for a while some time ago, so I got nagged by our net admins during the spate of virus's. Sh*t happens when you're stupid :-) Gaz ""Paul Borghese"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > What are you guys talking about? It is highly unlikely that a Virus will > go through the server as all messages are stripped of their attachments and > converted to plain-text before posting. Plus messages that look like they > could contain (or at one time did contain) viruses are filtered. > > What could happen is someone catches a virus and the virus scans the inbox. > Of course the Inbox is full of messages from this list. The virus then > proceeds to send itself to everyone who has posted to the list and thus has > a message in the client Inbox. Unfortunately GroupStudy can not stop it as > the virus is never propagated through the server. > > One way to prevent this is to use the web discussion board to participate > where a valid e-mail address is not required (in fact you have the option of > putting any e-mail address you desire as your public address). That way, > you can not be forwarded viruses - of course you also eliminate private > e-mail concerning your posting. > > Take care, > > Paul Borghese > > > > - Original Message - > From: "edna helem" > To: > Sent: Sunday, March 10, 2002 1:18 PM > Subject: Re: info on virus attack [7:37798] > > > > Gaz, > > > > You sent out an email re: virus being sent by [EMAIL PROTECTED] I > am > > the wife of Abdi. Let me explain to you and others concerned. My husband > > and I ordered DSL with verizon about 12 days ago. We did not have a > > firewall or virus software installed. After about 3 days of servi our > > computer began to lock up and finally we had no service at all. I had > been > > troubleshooting with verizon tech support for about 5 days before they > could > > tell me that there was a virus on my computer. I immediately went out and > > purchased the McAfee firewall and virus protection software. The virus > > appears to have been removed. I still do not have DSL service. I am > using > > a dial-up connection. The name of the virus was the SirCam virus. I > found > > out that the email was being propagated outside of my computer through > your > > email to the cisco study group in which I am a member. I apologize for > any > > inconvenience, but we had no idea what has been going on. Verizon tech > > support had me contact [EMAIL PROTECTED] by email to try and resolve > this > > problem. They are not accessible by phone and their response to me by > email > > has been that they have received my email and due to so many cases it may > > take a few days to follow up with an investigation. It has been 4 days. > > Does anyone have any suggestions on who I can contact at verizon and their > > phone number? > > > > > > >From: "Gaz" > > >Reply-To: "Gaz" > > >To: [EMAIL PROTECTED] > > >Subject: Re: Serial (X.21) X-over cables [7:35212] > > >Date: Wed, 13 Feb 2002 19:31:39 -0500 > > > > > >Joel, > > > > > >Have a look at www.kg2.com > > >Kelly Griffin used to post to the group. Not heard of him for a while. > I've > > >noticed he's doing some DB60 to RJ45 converters from March 2002 for > around > > >20 dollars, so one of each DCE/DTE for 40 dollars and you're away - > > >whatever > > >length you want, and I believe the full crossover cables were around 25 > > >dollars. > > > > > >I must add I have no links with Kelly or the company and not enough > > >knowledge of them to recommend, but prices look decent and I know he's > been > > >around a while now. > > >I keep meaning to buy the same but never got round to it. > > > > > >Gaz > > > > > >""Joel Satterley"" wrote in message > > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT > > >crossover > > > > equivalent ? > > > > > > > > I need to use some back to back serial connections without using a > > >kilostream > > > > simulator. > > > > > > > > Any help would be gratefully rec'd. > > > > > > > > Thanks. > > _ > > Join the worlds largest e-mail service with MSN Hotmail. > > http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37817&t=37798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: info on virus attack [7:37798]
What are you guys talking about? It is highly unlikely that a Virus will go through the server as all messages are stripped of their attachments and converted to plain-text before posting. Plus messages that look like they could contain (or at one time did contain) viruses are filtered. What could happen is someone catches a virus and the virus scans the inbox. Of course the Inbox is full of messages from this list. The virus then proceeds to send itself to everyone who has posted to the list and thus has a message in the client Inbox. Unfortunately GroupStudy can not stop it as the virus is never propagated through the server. One way to prevent this is to use the web discussion board to participate where a valid e-mail address is not required (in fact you have the option of putting any e-mail address you desire as your public address). That way, you can not be forwarded viruses - of course you also eliminate private e-mail concerning your posting. Take care, Paul Borghese - Original Message - From: "edna helem" To: Sent: Sunday, March 10, 2002 1:18 PM Subject: Re: info on virus attack [7:37798] > Gaz, > > You sent out an email re: virus being sent by [EMAIL PROTECTED] I am > the wife of Abdi. Let me explain to you and others concerned. My husband > and I ordered DSL with verizon about 12 days ago. We did not have a > firewall or virus software installed. After about 3 days of servi our > computer began to lock up and finally we had no service at all. I had been > troubleshooting with verizon tech support for about 5 days before they could > tell me that there was a virus on my computer. I immediately went out and > purchased the McAfee firewall and virus protection software. The virus > appears to have been removed. I still do not have DSL service. I am using > a dial-up connection. The name of the virus was the SirCam virus. I found > out that the email was being propagated outside of my computer through your > email to the cisco study group in which I am a member. I apologize for any > inconvenience, but we had no idea what has been going on. Verizon tech > support had me contact [EMAIL PROTECTED] by email to try and resolve this > problem. They are not accessible by phone and their response to me by email > has been that they have received my email and due to so many cases it may > take a few days to follow up with an investigation. It has been 4 days. > Does anyone have any suggestions on who I can contact at verizon and their > phone number? > > > >From: "Gaz" > >Reply-To: "Gaz" > >To: [EMAIL PROTECTED] > >Subject: Re: Serial (X.21) X-over cables [7:35212] > >Date: Wed, 13 Feb 2002 19:31:39 -0500 > > > >Joel, > > > >Have a look at www.kg2.com > >Kelly Griffin used to post to the group. Not heard of him for a while. I've > >noticed he's doing some DB60 to RJ45 converters from March 2002 for around > >20 dollars, so one of each DCE/DTE for 40 dollars and you're away - > >whatever > >length you want, and I believe the full crossover cables were around 25 > >dollars. > > > >I must add I have no links with Kelly or the company and not enough > >knowledge of them to recommend, but prices look decent and I know he's been > >around a while now. > >I keep meaning to buy the same but never got round to it. > > > >Gaz > > > >""Joel Satterley"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT > >crossover > > > equivalent ? > > > > > > I need to use some back to back serial connections without using a > >kilostream > > > simulator. > > > > > > Any help would be gratefully rec'd. > > > > > > Thanks. > _ > Join the worlds largest e-mail service with MSN Hotmail. > http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37809&t=37798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: info on virus attack [7:37798]
Hi Edna, Good to hear you're all cleaned up again. There seems to be a different contact number for every state. You can probably pick yours from the page below (although I don't think this is for security): http://www.verizon.net/contact/ Thanks for the update, although I knew which virus it was, I think I received it about 18 times in all :-) Do me a favour though - don't put me in your address book :-) Good luck, Gaz ""edna helem"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Gaz, > > You sent out an email re: virus being sent by [EMAIL PROTECTED] I am > the wife of Abdi. Let me explain to you and others concerned. My husband > and I ordered DSL with verizon about 12 days ago. We did not have a > firewall or virus software installed. After about 3 days of servi our > computer began to lock up and finally we had no service at all. I had been > troubleshooting with verizon tech support for about 5 days before they could > tell me that there was a virus on my computer. I immediately went out and > purchased the McAfee firewall and virus protection software. The virus > appears to have been removed. I still do not have DSL service. I am using > a dial-up connection. The name of the virus was the SirCam virus. I found > out that the email was being propagated outside of my computer through your > email to the cisco study group in which I am a member. I apologize for any > inconvenience, but we had no idea what has been going on. Verizon tech > support had me contact [EMAIL PROTECTED] by email to try and resolve this > problem. They are not accessible by phone and their response to me by email > has been that they have received my email and due to so many cases it may > take a few days to follow up with an investigation. It has been 4 days. > Does anyone have any suggestions on who I can contact at verizon and their > phone number? > > > >From: "Gaz" > >Reply-To: "Gaz" > >To: [EMAIL PROTECTED] > >Subject: Re: Serial (X.21) X-over cables [7:35212] > >Date: Wed, 13 Feb 2002 19:31:39 -0500 > > > >Joel, > > > >Have a look at www.kg2.com > >Kelly Griffin used to post to the group. Not heard of him for a while. I've > >noticed he's doing some DB60 to RJ45 converters from March 2002 for around > >20 dollars, so one of each DCE/DTE for 40 dollars and you're away - > >whatever > >length you want, and I believe the full crossover cables were around 25 > >dollars. > > > >I must add I have no links with Kelly or the company and not enough > >knowledge of them to recommend, but prices look decent and I know he's been > >around a while now. > >I keep meaning to buy the same but never got round to it. > > > >Gaz > > > >""Joel Satterley"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT > >crossover > > > equivalent ? > > > > > > I need to use some back to back serial connections without using a > >kilostream > > > simulator. > > > > > > Any help would be gratefully rec'd. > > > > > > Thanks. > _ > Join the worlds largest e-mail service with MSN Hotmail. > http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37800&t=37798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: info on virus attack [7:37798]
Gaz, You sent out an email re: virus being sent by [EMAIL PROTECTED] I am the wife of Abdi. Let me explain to you and others concerned. My husband and I ordered DSL with verizon about 12 days ago. We did not have a firewall or virus software installed. After about 3 days of servi our computer began to lock up and finally we had no service at all. I had been troubleshooting with verizon tech support for about 5 days before they could tell me that there was a virus on my computer. I immediately went out and purchased the McAfee firewall and virus protection software. The virus appears to have been removed. I still do not have DSL service. I am using a dial-up connection. The name of the virus was the SirCam virus. I found out that the email was being propagated outside of my computer through your email to the cisco study group in which I am a member. I apologize for any inconvenience, but we had no idea what has been going on. Verizon tech support had me contact [EMAIL PROTECTED] by email to try and resolve this problem. They are not accessible by phone and their response to me by email has been that they have received my email and due to so many cases it may take a few days to follow up with an investigation. It has been 4 days. Does anyone have any suggestions on who I can contact at verizon and their phone number? >From: "Gaz" >Reply-To: "Gaz" >To: [EMAIL PROTECTED] >Subject: Re: Serial (X.21) X-over cables [7:35212] >Date: Wed, 13 Feb 2002 19:31:39 -0500 > >Joel, > >Have a look at www.kg2.com >Kelly Griffin used to post to the group. Not heard of him for a while. I've >noticed he's doing some DB60 to RJ45 converters from March 2002 for around >20 dollars, so one of each DCE/DTE for 40 dollars and you're away - >whatever >length you want, and I believe the full crossover cables were around 25 >dollars. > >I must add I have no links with Kelly or the company and not enough >knowledge of them to recommend, but prices look decent and I know he's been >around a while now. >I keep meaning to buy the same but never got round to it. > >Gaz > >""Joel Satterley"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT >crossover > > equivalent ? > > > > I need to use some back to back serial connections without using a >kilostream > > simulator. > > > > Any help would be gratefully rec'd. > > > > Thanks. _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37798&t=37798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Brutal Attack! [7:37087]
Congrats! I know how you feel. There will be more celebrating while studying for the lab. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff D Sent: Saturday, March 02, 2002 5:38 PM To: [EMAIL PROTECTED] Subject: Brutal Attack! [7:37087] Just passed the Written. Cheers and now beers! Jeff D Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37092&t=37087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Brutal Attack! [7:37087]
Jeff Congratulations..please drink 7 on me, now the fun begins(be ready for the lab). JB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff D Sent: Saturday, March 02, 2002 5:38 PM To: [EMAIL PROTECTED] Subject: Brutal Attack! [7:37087] Just passed the Written. Cheers and now beers! Jeff D Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37091&t=37087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Brutal Attack! [7:37087]
Congrats, Jeff.. a well deserved round of beers... Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff D Sent: Saturday, March 02, 2002 2:38 PM To: [EMAIL PROTECTED] Subject: Brutal Attack! [7:37087] Just passed the Written. Cheers and now beers! Jeff D Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37089&t=37087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Brutal Attack! [7:37087]
Just passed the Written. Cheers and now beers! Jeff D Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37087&t=37087 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
I just ran a scan from symantec and I do have 100 infected files.I am now downloading the virus protected software.Thanks for your understanding Paul. This is for those who think I am an Arab,Which is fine with me.Because I am proud of who I am and what I believe in.I was born and raise in Trinidad and Tobago West Indies and my ancestors are from Africa and I reverted to Islam since 1974(27 years) which included changing my name from a Christian name to a Muslim name.I my heart I have no color and no nationality.I hurt when I see pain all over the world.This much I would say about myself. Muhammad Alkhattab - Original Message - From: "Paul Borghese" To: "Muhammad Alkhattab" Sent: Saturday, December 15, 2001 12:26 AM Subject: Re: This Arab tried to attack me. [7:29190] > I have receive a number of e-mails that look like they originated from you > with viruses attached. Plus I have receive complaints from others about > receiving viruses from you. Not that you did this malicious. Just the > automated type that is sent out after an infection. It happens to all of > us. You may want to scan your system for viruses just to be safe. > > Of course it could be an imposter because the e-mails always had the from > address of [EMAIL PROTECTED] Notice the _ in the e-mail address. > > Take care, > > Paul > - Original Message - > From: "Muhammad Alkhattab" > To: > Sent: Saturday, December 15, 2001 12:54 AM > Subject: Re: This Arab tried to attack me. [7:29190] > > > > Who ever you are.I have never sent you any virus.I myself has been > receiving > > spams(mails that have never sent). > > > > Muhammad Alkhattab > > - Original Message - > > From: "Jon Street" > > To: > > Sent: Friday, December 14, 2001 8:56 AM > > Subject: This Arab tried to attack me. [7:29190] > > > > > > > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > > > offence to my statments about those who said on this fourm about us > > needing > > > to understand the terrorists issues and why they are so angry with us. > > This > > > little worm tried sending me viruses to screw up my computer. I just > > wanted > > > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29278&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
Hey it happens to the best of us. Read this news article about how Cisco recently sent a virus to the NANOG mailing list. The title is "Cisco Release of Goner Worm Raises Eyebrows". http://www.newsbytes.com/news/01/172978.html Paul Borghese Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29273&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
Who ever you are.I have never sent you any virus.I myself has been receiving spams(mails that have never sent). Muhammad Alkhattab - Original Message - From: "Jon Street" To: Sent: Friday, December 14, 2001 8:56 AM Subject: This Arab tried to attack me. [7:29190] > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29265&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
IP Security! Isn't that a contradiction in terms? :) Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco Regional Networking Academy Steve Smith wrote: > Hey you left out us Mexicans! I agree. We must get 100's of virus sent > to us that are caught, we even get them sent from our LAWYERS.well > go figure on that. It's NOT a personal attack, although that has > happened, but it's what we have to live with these days. Anyway, just go > with the flow, keep your signatures updated, filter like a murf and all > should be fine. Now back to our previously scheduled > discussion..IPSEC, what does it stand for and how do I use it. :> > > -Original Message- > From: Hehdili Nizar [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 14, 2001 1:29 PM > To: [EMAIL PROTECTED] > Subject: Re: This Arab tried to attack me. [7:29190] > > For your genral culture I m ARABIC , somtimes I receive viruses from > messages in this board and other messages from many people in multiple > countries , I do not consider them personal attacks and I m not angry > with > no body , this board is for arabs , Jews , US citzens , chineese > ..to > share their technical knowlege and exchange experiences , not for off > topics. > If you have problems with this guy , please treat with him directly and > let > this board for Cisco subjects. > "Jon Street" a icrit dans le message : > [EMAIL PROTECTED] > > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > > offence to my statments about those who said on this fourm about us > needing > > to understand the terrorists issues and why they are so angry with us. > This > > little worm tried sending me viruses to screw up my computer. I just > wanted > > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29263&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
IPSEC stands for a standard for IP encryption , it uses multiple algorithms for encrypting IP data . you can use it in routers , firewalls , dedicated hardware boxes and with some software clients. with IP sec you can use encrypted tunnels to send your traffic over internet or intranet and you can use it between any type of the last devices. You need a good design to use it well , tell us more what are your needs and what is your environment and we would try to find the best suitable solution for you. "Steve Smith" a icrit dans le message : [EMAIL PROTECTED] > Hey you left out us Mexicans! I agree. We must get 100's of virus sent > to us that are caught, we even get them sent from our LAWYERS.well > go figure on that. It's NOT a personal attack, although that has > happened, but it's what we have to live with these days. Anyway, just go > with the flow, keep your signatures updated, filter like a murf and all > should be fine. Now back to our previously scheduled > discussion..IPSEC, what does it stand for and how do I use it. :> > > -Original Message- > From: Hehdili Nizar [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 14, 2001 1:29 PM > To: [EMAIL PROTECTED] > Subject: Re: This Arab tried to attack me. [7:29190] > > > For your genral culture I m ARABIC , somtimes I receive viruses from > messages in this board and other messages from many people in multiple > countries , I do not consider them personal attacks and I m not angry > with > no body , this board is for arabs , Jews , US citzens , chineese > ..to > share their technical knowlege and exchange experiences , not for off > topics. > If you have problems with this guy , please treat with him directly and > let > this board for Cisco subjects. > "Jon Street" a icrit dans le message : > [EMAIL PROTECTED] > > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > > offence to my statments about those who said on this fourm about us > needing > > to understand the terrorists issues and why they are so angry with us. > This > > little worm tried sending me viruses to screw up my computer. I just > wanted > > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29252&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: This Arab tried to attack me. [7:29190]
Hey you left out us Mexicans! I agree. We must get 100's of virus sent to us that are caught, we even get them sent from our LAWYERS.well go figure on that. It's NOT a personal attack, although that has happened, but it's what we have to live with these days. Anyway, just go with the flow, keep your signatures updated, filter like a murf and all should be fine. Now back to our previously scheduled discussion..IPSEC, what does it stand for and how do I use it. :> -Original Message- From: Hehdili Nizar [mailto:[EMAIL PROTECTED]] Sent: Friday, December 14, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: Re: This Arab tried to attack me. [7:29190] For your genral culture I m ARABIC , somtimes I receive viruses from messages in this board and other messages from many people in multiple countries , I do not consider them personal attacks and I m not angry with no body , this board is for arabs , Jews , US citzens , chineese ..to share their technical knowlege and exchange experiences , not for off topics. If you have problems with this guy , please treat with him directly and let this board for Cisco subjects. "Jon Street" a icrit dans le message : [EMAIL PROTECTED] > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29238&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: This Arab tried to attack me. [7:29190]
Hey you left out us Mexicans! I agree. We must get 100's of virus sent to us that are caught, we even get them sent from our LAWYERS.well go figure on that. It's NOT a personal attack, although that has happened, but it's what we have to live with these days. Anyway, just go with the flow, keep your signatures updated, filter like a murf and all should be fine. Now back to our previously scheduled discussion..IPSEC, what does it stand for and how do I use it. :> -Original Message- From: Hehdili Nizar [mailto:[EMAIL PROTECTED]] Sent: Friday, December 14, 2001 1:29 PM To: [EMAIL PROTECTED] Subject: Re: This Arab tried to attack me. [7:29190] For your genral culture I m ARABIC , somtimes I receive viruses from messages in this board and other messages from many people in multiple countries , I do not consider them personal attacks and I m not angry with no body , this board is for arabs , Jews , US citzens , chineese ..to share their technical knowlege and exchange experiences , not for off topics. If you have problems with this guy , please treat with him directly and let this board for Cisco subjects. "Jon Street" a icrit dans le message : [EMAIL PROTECTED] > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29238&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
For your genral culture I m ARABIC , somtimes I receive viruses from messages in this board and other messages from many people in multiple countries , I do not consider them personal attacks and I m not angry with no body , this board is for arabs , Jews , US citzens , chineese ..to share their technical knowlege and exchange experiences , not for off topics. If you have problems with this guy , please treat with him directly and let this board for Cisco subjects. "Jon Street" a icrit dans le message : [EMAIL PROTECTED] > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29219&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
Can we just invest in a decent mail reader? Or maybe download pegasus..it's free! Anyone for elm? >>> "Chris White" 12/14/01 11:55AM >>> I have received numerous viruses from people on this list including the individual you mentioned. I do not consider them personal attacks. This message on the other hand. This type of nonsense just feeds ignorance and hatred and is inappropriate for this forum. On Fri, 14 Dec 2001, Jon Street wrote: > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29214&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
I have received numerous viruses from people on this list including the individual you mentioned. I do not consider them personal attacks. This message on the other hand. This type of nonsense just feeds ignorance and hatred and is inappropriate for this forum. On Fri, 14 Dec 2001, Jon Street wrote: > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29199&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: This Arab tried to attack me. [7:29190]
Worm? If I said that about all the viruses I have had pop up here in the last few months, I'd have no friends left at all. I personally think he got tagged and that it was unintentional on his part. MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29203&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: This Arab tried to attack me. [7:29190]
He is infected with a virus and is sending that worm to everyone that posts. He probably does not even know that he is infected. Just every message he receives gets a little thank-you note from the virus. You are probably now going to start a backlash on GroupStudy that we do not need. Frankly I think you owe him and the Arab community an apology. Last week, I removed him from the list. But any message sent before the removal will still receive the virus. Of course he is more then welcome to return once the virus has been cleaned. Paul - Original Message - From: ""Jon Street"" Newsgroups: groupstudy.cisco Sent: Friday, December 14, 2001 8:56 AM Subject: This Arab tried to attack me. [7:29190] > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken > offence to my statments about those who said on this fourm about us needing > to understand the terrorists issues and why they are so angry with us. This > little worm tried sending me viruses to screw up my computer. I just wanted > to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29198&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
This Arab tried to attack me. [7:29190]
Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken offence to my statments about those who said on this fourm about us needing to understand the terrorists issues and why they are so angry with us. This little worm tried sending me viruses to screw up my computer. I just wanted to let everyone know who this person is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=29190&t=29190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
What steps to take under *any* attack? [7:23336]
Hi! I have a couple of question with regards to the security attack (for beginners like me!), if you suspect this will happen to you. Say you have a PIX with cisco router, your inbound traffic is very high and the PIX logs is filling up with lots of port scanning, connection drop, DoS attack, nimda and etc.. what would you do at first place? Any steps or procedure people practices? As for my suggestion, if the logs show http attack (base on the destination port), I will intend to debug ip http traffic in the router, then probably ip icmp traffic. If by most of the traffic is inbound, I would immediately apply the access-list to filter all the inbound http traffic. Any suggestion? Regards, Ryan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23336&t=23336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Denial of service attack prevention [7:19568]
That's some really good information. I'll definitely have to look into taking some of these measures. You can never be too secure. If I find any other strategies on the router side I'll post it. Thanks a lot guys. -- Haydn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian Whalen Sent: Thursday, September 13, 2001 3:01 PM To: [EMAIL PROTECTED] Subject: Re: Denial of service attack prevention [7:19568] Heres a good solaris security article, likey applicable to other nixes.. http://www.samag.com/articles/2000/0013/0013c/0013c.htm Brian "Sonic" Whalen Success = Preparation + Opportunity On Thu, 13 Sep 2001, MADMAN wrote: > I don't know what else on the router you could do but there are things > you can do on your host but not being a sys admin I can't get into > details. Check this out: > > http://www.cisco.com/warp/public/707/4.html > > Dave > > Haydn Solomon wrote: > > > > Actually I was asking what OTHER means than tcp intercept there was > > because we don't have the version that supports it. Can you answer that? > > I know that our version doesn't cause I checked with the "?" feature and > > the option isn't there. In any case here is a copy of the sh ver. > > > > Cisco Internetwork Operating System Software > > IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE > > (fc1) > > Copyright (c) 1986-2000 by cisco Systems, Inc. > > Compiled Wed 27-Dec-00 13:54 by linda > > Image text-base: 0x60010930, data-base: 0x60C46000 > > > > ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE > > SOFTWARE (fc1) > > BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY > > DEPLOYMENT RELEASE SOFTWARE (fc1) > > > > -- Haydn > > > > -Original Message- > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, September 12, 2001 11:05 AM > > To: Haydn Solomon > > Cc: [EMAIL PROTECTED] > > Subject: Re: Denial of service attack prevention [7:19568] > > > > send a sh ver of your router, not all platforms support TCP Intercept. > > > > Dave > > > > Haydn Solomon wrote: > > > > > > Hi all, > > > > > > I was recently reading an article on ciscos site about strategies for > > > preventing denial of service attacks. They mentioned the ip intercept > > > configuration feature for IOS version 11.3. However our routers are > > > running version 12.0 and doesnt have that feature. Does anyone out > > > there know what other effective strategies can be used to prevent this > > > kind of attack on IOS versions other than 11.3? Any input will be > > > appreciated, thanks. > > > > > > -Haydn > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19929&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Denial of service attack prevention [7:19568]
Heres a good solaris security article, likey applicable to other nixes.. http://www.samag.com/articles/2000/0013/0013c/0013c.htm Brian "Sonic" Whalen Success = Preparation + Opportunity On Thu, 13 Sep 2001, MADMAN wrote: > I don't know what else on the router you could do but there are things > you can do on your host but not being a sys admin I can't get into > details. Check this out: > > http://www.cisco.com/warp/public/707/4.html > > Dave > > Haydn Solomon wrote: > > > > Actually I was asking what OTHER means than tcp intercept there was > > because we don't have the version that supports it. Can you answer that? > > I know that our version doesn't cause I checked with the "?" feature and > > the option isn't there. In any case here is a copy of the sh ver. > > > > Cisco Internetwork Operating System Software > > IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE > > (fc1) > > Copyright (c) 1986-2000 by cisco Systems, Inc. > > Compiled Wed 27-Dec-00 13:54 by linda > > Image text-base: 0x60010930, data-base: 0x60C46000 > > > > ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE > > SOFTWARE (fc1) > > BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY > > DEPLOYMENT RELEASE SOFTWARE (fc1) > > > > -- Haydn > > > > -Original Message- > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, September 12, 2001 11:05 AM > > To: Haydn Solomon > > Cc: [EMAIL PROTECTED] > > Subject: Re: Denial of service attack prevention [7:19568] > > > > send a sh ver of your router, not all platforms support TCP Intercept. > > > > Dave > > > > Haydn Solomon wrote: > > > > > > Hi all, > > > > > > I was recently reading an article on ciscos site about strategies for > > > preventing denial of service attacks. They mentioned the ip intercept > > > configuration feature for IOS version 11.3. However our routers are > > > running version 12.0 and doesnt have that feature. Does anyone out > > > there know what other effective strategies can be used to prevent this > > > kind of attack on IOS versions other than 11.3? Any input will be > > > appreciated, thanks. > > > > > > -Haydn > > -- > > David Madland > > Sr. Network Engineer > > CCIE# 2016 > > Qwest Communications Int. Inc. > > [EMAIL PROTECTED] > > 612-664-3367 > > > > "Emotion should reflect reason not guide it" > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19824&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Denial of service attack prevention [7:19568]
I don't know what else on the router you could do but there are things you can do on your host but not being a sys admin I can't get into details. Check this out: http://www.cisco.com/warp/public/707/4.html Dave Haydn Solomon wrote: > > Actually I was asking what OTHER means than tcp intercept there was > because we don't have the version that supports it. Can you answer that? > I know that our version doesn't cause I checked with the "?" feature and > the option isn't there. In any case here is a copy of the sh ver. > > Cisco Internetwork Operating System Software > IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE > (fc1) > Copyright (c) 1986-2000 by cisco Systems, Inc. > Compiled Wed 27-Dec-00 13:54 by linda > Image text-base: 0x60010930, data-base: 0x60C46000 > > ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE > SOFTWARE (fc1) > BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY > DEPLOYMENT RELEASE SOFTWARE (fc1) > > -- Haydn > > -Original Message- > From: MADMAN [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 12, 2001 11:05 AM > To: Haydn Solomon > Cc: [EMAIL PROTECTED] > Subject: Re: Denial of service attack prevention [7:19568] > > send a sh ver of your router, not all platforms support TCP Intercept. > > Dave > > Haydn Solomon wrote: > > > > Hi all, > > > > I was recently reading an article on ciscos site about strategies for > > preventing denial of service attacks. They mentioned the ip intercept > > configuration feature for IOS version 11.3. However our routers are > > running version 12.0 and doesnt have that feature. Does anyone out > > there know what other effective strategies can be used to prevent this > > kind of attack on IOS versions other than 11.3? Any input will be > > appreciated, thanks. > > > > -Haydn > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19773&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Denial of service attack prevention [7:19568]
Actually I was asking what OTHER means than tcp intercept there was because we don't have the version that supports it. Can you answer that? I know that our version doesn't cause I checked with the "?" feature and the option isn't there. In any case here is a copy of the sh ver. Cisco Internetwork Operating System Software IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Wed 27-Dec-00 13:54 by linda Image text-base: 0x60010930, data-base: 0x60C46000 ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) -- Haydn -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 11:05 AM To: Haydn Solomon Cc: [EMAIL PROTECTED] Subject: Re: Denial of service attack prevention [7:19568] send a sh ver of your router, not all platforms support TCP Intercept. Dave Haydn Solomon wrote: > > Hi all, > > I was recently reading an article on ciscos site about strategies for > preventing denial of service attacks. They mentioned the ip intercept > configuration feature for IOS version 11.3. However our routers are > running version 12.0 and doesnt have that feature. Does anyone out > there know what other effective strategies can be used to prevent this > kind of attack on IOS versions other than 11.3? Any input will be > appreciated, thanks. > > -Haydn -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19719&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Denial of service attack prevention [7:19568]
Good way to limit syn floods, nice.. Bri - Original Message - From: "Kent Hundley" To: Sent: Wednesday, September 12, 2001 8:30 AM Subject: RE: Denial of service attack prevention [7:19568] > Go to http://www.cisco.com/go/fn and search for "TCP intercept". > > HTH, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Haydn Solomon > Sent: Wednesday, September 12, 2001 7:01 AM > To: [EMAIL PROTECTED] > Subject: Denial of service attack prevention [7:19568] > > > Hi all, > > I was recently reading an article on ciscos site about strategies for > preventing denial of service attacks. They mentioned the ip intercept > configuration feature for IOS version 11.3. However our routers are > running version 12.0 and doesnt have that feature. Does anyone out > there know what other effective strategies can be used to prevent this > kind of attack on IOS versions other than 11.3? Any input will be > appreciated, thanks. > > -Haydn Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19622&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Denial of service attack prevention [7:19568]
Go to http://www.cisco.com/go/fn and search for "TCP intercept". HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Haydn Solomon Sent: Wednesday, September 12, 2001 7:01 AM To: [EMAIL PROTECTED] Subject: Denial of service attack prevention [7:19568] Hi all, I was recently reading an article on ciscos site about strategies for preventing denial of service attacks. They mentioned the ip intercept configuration feature for IOS version 11.3. However our routers are running version 12.0 and doesnt have that feature. Does anyone out there know what other effective strategies can be used to prevent this kind of attack on IOS versions other than 11.3? Any input will be appreciated, thanks. -Haydn Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19601&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Denial of service attack prevention [7:19568]
send a sh ver of your router, not all platforms support TCP Intercept. Dave Haydn Solomon wrote: > > Hi all, > > I was recently reading an article on ciscos site about strategies for > preventing denial of service attacks. They mentioned the ip intercept > configuration feature for IOS version 11.3. However our routers are > running version 12.0 and doesnt have that feature. Does anyone out > there know what other effective strategies can be used to prevent this > kind of attack on IOS versions other than 11.3? Any input will be > appreciated, thanks. > > -Haydn -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19595&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Denial of service attack prevention [7:19568]
Hi all, I was recently reading an article on ciscos site about strategies for preventing denial of service attacks. They mentioned the ip intercept configuration feature for IOS version 11.3. However our routers are running version 12.0 and doesnt have that feature. Does anyone out there know what other effective strategies can be used to prevent this kind of attack on IOS versions other than 11.3? Any input will be appreciated, thanks. -Haydn Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19568&t=19568 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
AT&T Telco response to the terrorist attack [7:19466]
Regarding this terrible tragedy, this message from AT&T was circulated to the network staff at my company. I thought it might be of interest to the group dave h Subject: AT&T Code YELLOWURGENT!! All AT&T provisioning and cutovers are cancelled. AT&T has moved to code YELLOW. 2.07 Condition YELLOW: can be implemented when the Government's emergency action procedures have been placed in a "readiness" posture. This alert will be used when a military or political situation deteriorates. It envisions a period of indefinite length and scope. A. All CONDITION GRAY restrictions invoked by the NOC shall be > followed. In addition to those precautions, the following > security measures should be observed as well as any measures > the NOC may add. > > B. All critical locations require 7X24 guard and Network > Operations coverage. This includes 7X24 security guards > stationed outside of all critical building entry points. > > C. All major facility locations (more than 250 T3s) and all > international cable landings, to have either 7X24 guard > coverage or 7X24 Network Operations coverage. > > D. All other locations should have coverage not less than which > is considered "normal". > > E. The Network Operations Center (NOC), the Regional Network > Operations Centers (RNOCs), the Network Control Centers > (NCCs) and the National Electronic System Assistance Centers > (NESACs) will have 7X24 coverage. > > F. For locations with dedicated Government services, e.g. FTS- > 2000, DCTN, etc., ensure that the coverage meets at least > minimum required coverage. > > G. Consideration shall be given to increasing the frequency of > patrols to once each 12 hours to cover critical locations, > if consistent with the safety of the personnel. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19466&t=19466 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX static command and em_limit - SYN attack [7:17994]
I put 4 for max_conns and 100 for emb_limit. I haven't got any hard evidence that this is the best way for a webserver, but it works ;) emb_limit just limits how many connections are held that have not completed the TCP 3-way handshake, thereby stopping SYN attacks from reaching the server. Once emb_limit is reached, subsequent attempts are dropped until timeout is reached on other held connections. Subsequent connections from that source IP will be dropped to keep it from keeping emb_limit full. Otherwise you'd have a DOS of your own making just from setting this value. If you wanted to truly set this at realistic values you would have to do some testing to see what normal embryonic connection values you have during peak hours under normal circumstances. Just my way of thinking, but I'd add about 50% - 200% to that value just in case you get a sudden influx of legitimate users trying to access the server. Keep an eye on log files for the server (assuming it's a web server and you log this information). In IIS and Apache it will tell you how many users dropped connection, gave up before it loaded, etc if you have a log file analyzer (I use ANALOG - it's free). Obviously setting this too low could make end users fairly angry. ;) Again, IMHO, Max_conns should be set to whatever you believe the max # of simultaneous users your server can handle. The only way to get a true feeling for what this is would be to download some software to test the limits of your server. I know there are some free ones out there but I haven't used any myself. Web development took care of that for me. ;) Sooo...umm...I guess you could say there really isn't an answer that applies to everyone. Obviously someone like yahoo.com would have much higher numbers on both settings compared to Joe Blow's web page on raising hampsters. Did I help? Confuse? Either way I accomplished something on only 1 cup of coffee ;) (by the way, that's a disclaimer for any inadvertant idiotic comments made above). The opinions of my fingers and tired brain are not necessarily my own. Allen - Original Message - From: "Bill Carter" To: Sent: Thursday, August 30, 2001 7:53 PM Subject: PIX static command and em_limit - SYN attack [7:17994] > I am installing a PIX. In the static commands the last switch is for the > limit on embryonic connects. > > static (DMZ,outside) X.X.X.15 192.168.1.13 netmask 255.255.255.255 0 0 > Every sample configuration I have seen leaves this value at 0. I hate to > bring logic into this but, logic tells me that I would want to put a limit > on embryonic sessions to protect against SYN attacks. What is a reasonable > limit to put on this balancing security and availability? 20, 100, 500? > > What value do you use in real world implementations??? > > > >From CCO: watch the wrap. > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com > mands.htm#xtocid1006867 > > The embryonic connection limit. An embryonic connection is one that has > started but not yet completed. Set this limit to prevent attack by a flood > of embryonic connections. The default is 0, which means unlimited > connections > > > ^-^-^-^-^-^-^-^-^-^-^ > Bill Carter > CCIE 5022 > ^-^-^-^-^-^-^-^-^-^-^ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18104&t=17994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX static command and em_limit - SYN attack [7:17994]
I am installing a PIX. In the static commands the last switch is for the limit on embryonic connects. static (DMZ,outside) X.X.X.15 192.168.1.13 netmask 255.255.255.255 0 0 <--- Every sample configuration I have seen leaves this value at 0. I hate to bring logic into this but, logic tells me that I would want to put a limit on embryonic sessions to protect against SYN attacks. What is a reasonable limit to put on this balancing security and availability? 20, 100, 500? What value do you use in real world implementations??? >From CCO: watch the wrap. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com mands.htm#xtocid1006867 The embryonic connection limit. An embryonic connection is one that has started but not yet completed. Set this limit to prevent attack by a flood of embryonic connections. The default is 0, which means unlimited connections ^-^-^-^-^-^-^-^-^-^-^ Bill Carter CCIE 5022 ^-^-^-^-^-^-^-^-^-^-^ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17994&t=17994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Unable to detect source for attack [7:17095]
thank you You have been very helpful regards, suaveguru --- Tony Medeiros wrote: > With all due respect Farhan, If he uses "debug ip > packet detail" on a > production router, he WON'T be haveing a very nice > day. Good way to crash > the router. > > A better way is setup flow cache. > > (config-if) ip route-cache flow > # show ip cache flow > > This will show you source and dest. pair, and the > ports you looking for. > Tony M. > (Can't sleep) > > - Original Message - > From: "Farhan Ahmed" > To: > Sent: Friday, August 24, 2001 11:12 PM > Subject: RE: Unable to detect source for attack > [7:17095] > > > > command > > > > debug ip packet detail > > > > Best Regards > > > > Have A Good Day!! > > > > *** > > Farhan Ahmed* > > MCSE+I, MCP Win2k, CCDA, CCNA, CSE > > Network Engineer > > Mideast Data Systems Abudhabi Uae. > > > > *** > > > > > > > > Privileged/Confidential Information may be > contained in this message or > > Attachments hereto. Please advise immediately if > you or your employer do > > not consent to Internet email for messages of this > kind. Opinions, > > Conclusions and other information in this message > that do not relate to > the > > Official business of this company shall be > understood as neither given nor > > Endorsed by it. > > > > > > > -Original Message- > > > From: suaveguru [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, August 24, 2001 9:54 AM > > > To: [EMAIL PROTECTED] > > > Subject: Unable to detect source for attack > [7:17095] > > > > > > > > > hi all, > > > > > > I am not able to detect the type of an ip attack > on an > > > interface . All I can detect is the source and > > > destination ip addresees using ip accounting but > I > > > could not block the ip addresses because they > are all > > > in use . All I can do is to find out what kind > of > > > traffic is causing the attack for e.g. tcp, udp > , sync > > > etc. but what tools could I use? > > > > > > > > > regards, > > > suaveguru > > > > > > > __ > > > Do You Yahoo!? > > > Make international calls for as low as > $.04/minute with > > > Yahoo! Messenger > > > http://phonecard.yahoo.com/ > > > > [GroupStudy.com removed an attachment of type > application/octet-stream > which > > had a name of Farhan Ahmed.vcf] [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17311&t=17095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Unable to detect source for attack [7:17095]
With all due respect Farhan, If he uses "debug ip packet detail" on a production router, he WON'T be haveing a very nice day. Good way to crash the router. A better way is setup flow cache. (config-if) ip route-cache flow # show ip cache flow This will show you source and dest. pair, and the ports you looking for. Tony M. (Can't sleep) - Original Message - From: "Farhan Ahmed" To: Sent: Friday, August 24, 2001 11:12 PM Subject: RE: Unable to detect source for attack [7:17095] > command > > debug ip packet detail > > Best Regards > > Have A Good Day!! > > *** > Farhan Ahmed* > MCSE+I, MCP Win2k, CCDA, CCNA, CSE > Network Engineer > Mideast Data Systems Abudhabi Uae. > > *** > > > > Privileged/Confidential Information may be contained in this message or > Attachments hereto. Please advise immediately if you or your employer do > not consent to Internet email for messages of this kind. Opinions, > Conclusions and other information in this message that do not relate to the > Official business of this company shall be understood as neither given nor > Endorsed by it. > > > > -Original Message- > > From: suaveguru [mailto:[EMAIL PROTECTED]] > > Sent: Friday, August 24, 2001 9:54 AM > > To: [EMAIL PROTECTED] > > Subject: Unable to detect source for attack [7:17095] > > > > > > hi all, > > > > I am not able to detect the type of an ip attack on an > > interface . All I can detect is the source and > > destination ip addresees using ip accounting but I > > could not block the ip addresses because they are all > > in use . All I can do is to find out what kind of > > traffic is causing the attack for e.g. tcp, udp , sync > > etc. but what tools could I use? > > > > > > regards, > > suaveguru > > > > __ > > Do You Yahoo!? > > Make international calls for as low as $.04/minute with > > Yahoo! Messenger > > http://phonecard.yahoo.com/ > > [GroupStudy.com removed an attachment of type application/octet-stream which > had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17232&t=17095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Unable to detect source for attack [7:17095]
command debug ip packet detail Best Regards Have A Good Day!! *** Farhan Ahmed* MCSE+I, MCP Win2k, CCDA, CCNA, CSE Network Engineer Mideast Data Systems Abudhabi Uae. *** Privileged/Confidential Information may be contained in this message or Attachments hereto. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, Conclusions and other information in this message that do not relate to the Official business of this company shall be understood as neither given nor Endorsed by it. > -Original Message- > From: suaveguru [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 24, 2001 9:54 AM > To: [EMAIL PROTECTED] > Subject: Unable to detect source for attack [7:17095] > > > hi all, > > I am not able to detect the type of an ip attack on an > interface . All I can detect is the source and > destination ip addresees using ip accounting but I > could not block the ip addresses because they are all > in use . All I can do is to find out what kind of > traffic is causing the attack for e.g. tcp, udp , sync > etc. but what tools could I use? > > > regards, > suaveguru > > __ > Do You Yahoo!? > Make international calls for as low as $.04/minute with > Yahoo! Messenger > http://phonecard.yahoo.com/ [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Farhan Ahmed.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17228&t=17095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Unable to detect source for attack [7:17095]
hi all, I am not able to detect the type of an ip attack on an interface . All I can detect is the source and destination ip addresees using ip accounting but I could not block the ip addresses because they are all in use . All I can do is to find out what kind of traffic is causing the attack for e.g. tcp, udp , sync etc. but what tools could I use? regards, suaveguru __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17095&t=17095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tools for detecting DOS attack other than ip accounting [7:16211]
(assuming access-lists are configured, a simple permit any any works for this even, but specific networks or higher layer traffic you want to match works better) show access-lists (look at the number of matches increasing) show interface (look at load x/255, 30 second input rate x bits/sec, x packets/sec) show interface stats show interface switching show interface accounting (assuming you have netflow configured) show ip cache flow You could use about a billion other things to detect DoS attacks (even with Cisco routers). You might be able to get some of the information above via SNMP. You could graph it with mrtg/rrdtool/cricket/flowscan (caida) or even commercial tools like CiscoWorks IPM, HPOV NNM, Concord eHealth, and about a billion other tools. It is generally recommended that you capture all traffic with a sniffer, if at all possible. There are a few free tools and commercial products in this category, as well, popular ones include tcpdump, snoop, ethereal, and SnifferPro. I think that NetFlow is a good way to detect DoS attacks, especially if you graph it. Because NetFlow (or sFlow, or NeTraMet, etc and also probably RMON and IP accounting) gets a lot of the packet sizes, protocol distributions, prefix and interface traffic statistics for src/dst pairs (aka flow), etc etc... it is really obvious right away what type of attack you are getting, etc. However, sometimes it's not perfect, so having a complete dump of the traffic on your network via a sniffer is really ideal. Working with sniffer data and graphing it in real time is more complex than using NetFlow or similar technology, but that's really up to you to decide what you want to do. Matches on access-lists seems to be a very popular way of dealing with detecting if a DoS attack occurred (but this is generally after the fact). Having a good combination of all of the above wouldn't hurt either. It really depends on the problem you are trying to solve and the resources you know / have available / etc. Are you trying to detect DoS attacks real- time? Are you trying to track down who is sending the packets to you? Are you trying to identify the attacks so you can come up with ways to prevent them? Most important would be a written policy and procedure for dealing with DoS attacks coming into and outside of your network. Then, spec out the technology to fit your requirements. Good luck. -dre ""suaveguru"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hi all > > anyone knows if there are any tools to detect DOS > attack on network other than turning on ip accounting > at the routers because ip accounting utilises very > much CPU resources on the router > > any inputs will be greatly appreciated > > regards > > suaveguru > > __ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16211&t=16211 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tools for detecting DOS attack other than ip accounting [7:16156]
Well, I would recommend using an IDS and a span port on a switch. Snort (http://www.snort.org) is an opensource Intrusion detection system that ties into tools like syslog and swatch and can accurately report Intrusion and Denial of Service attempts allowing you then decide how to respond. These tools would generally rely on a unix system attached to a switch span port on the lan side of your router. -- Kevin > hi all > > anyone knows if there are any tools to detect DOS > attack on network other than turning on ip accounting > at the routers because ip accounting utilises very > much CPU resources on the router > > any inputs will be greatly appreciated > > regards > > suaveguru > > __ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! > Messenger http://phonecard.yahoo.com/ > Nondisclosure violations to [EMAIL PROTECTED] http://www.siliconsamurai.net - This email was sent using SquirrelMail. "Webmail for nuts!" http://squirrelmail.org/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16156&t=16156 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
tools for detecting DOS attack other than ip accounting [7:16139]
hi all anyone knows if there are any tools to detect DOS attack on network other than turning on ip accounting at the routers because ip accounting utilises very much CPU resources on the router any inputs will be greatly appreciated regards suaveguru __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16139&t=16139 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CBAC and DOS attack [7:9748]
For me, the best analogy for CBAC is that it's like a really smart "established" keyword in access-lists. You still apply your access-list in the inbound direction, and it's still the access-list that blocks traffic, but the CBAC inspection commands make the access-list smart. In order for the access-list to "know" what to let in, the router has to pay attention (i.e. "inspect") the outgoing traffic. So, you inspect your outbound traffic so that your access-lists can let the appropriate return traffic back in. That being said, the CBAC feature also does some sanity checking on packets and can drop packets that it thinks are illegal even if no access-lists are configured in the router. You'll almost never encounter this, but it's handy to know about. HTH Dana Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=10204&t=9748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CBAC and DOS attack [7:9748]
Have you seen the latest Cisco Security book ??? It's a little more clearer than what I have been able to find on the CCO, dealing with the Firewall IOS (explains all the nuances & features of these access-lists). Have you tried ConfigMaker when setting the default values for the reflexive access lists & the inspects ? If this were say a Internet connection(cable modem in my case) you want to inspect on the facing out interface, but apply the rule for the incoming. Did I come close to answering the question ??? Phil - Original Message - From: "Vyacheslav Luschinsky" To: Sent: Monday, June 25, 2001 9:01 AM Subject: CBAC and DOS attack [7:9748] > I have some trouble in understanding how to use firewall set(CBAC) to limit > half open inbound sessions from Internet. > First you have to identify traffic > > ip inspect name myname tcp > > then you have to put it on interface. > cisco examples show only one situation when you need to allow sessions from > your local LAN. So it is not clear should I apply inspecting to inbound > traffic on serial int. or outbound for ethernet int. > Did anyone deal whis it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9777&t=9748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CBAC and DOS attack [7:9748]
I have some trouble in understanding how to use firewall set(CBAC) to limit half open inbound sessions from Internet. First you have to identify traffic ip inspect name myname tcp then you have to put it on interface. cisco examples show only one situation when you need to allow sessions from your local LAN. So it is not clear should I apply inspecting to inbound traffic on serial int. or outbound for ethernet int. Did anyone deal whis it? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=9748&t=9748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
Hi Kent, Do you know about netflow switching, must I enable that? Andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, June 08, 2001 1:05 AM To: [EMAIL PROTECTED]; Andy Low Subject: RE: Dos Attack [7:7049] In my experience, no. I've turned on IP accounting on routers doing hundreds of megabits of traffic with no noticable effects. Course, there are always the potential for bugs/instabilities in the code, but barring this I think you should be fine. Just watch the CPU via "sh proc cpu" before and immediately after turning on IP accounting. If you start seeing the CPU spike very high you can always disable the accounting. HTH, Kent On 6 Jun 2001, at 0:20, Andy Low wrote: > Hi Kent, > > Will IP accounting halt the router given 50Mbps of traffic passing > through? > > regards, > > andy > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To: > [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049] > > > Andy, > > 1) Enable IP accounting on the router interface "closest" to the > traffic in question. Watch the output of "sh ip account" and you > should be able to tell fairly quickly what the originating IP address > is of the offending station > > 2) Now you have the IP, you know which segment the station is on, look > at the local router's arp table to determine the MAC address > > 3) Look at the switch(s) to find the port the MAC is on and then > trace to the physical station and investigate > > Regards, > Kent > > On 4 Jun 2001, at 8:03, Andy Low wrote: > > > Hi, > > > > If there is a machine within my network generating high load of > > traffic, how can I detect the machine asap? > > > > I have cisco 7507 routers and catalyst 5509 switches. Which command > > should I use to check? On the catalyst switch which command can I > > use to find out port the machine is plugged to? > > > > Thanks > > > > Andy > > Nondisclosure violations to [EMAIL PROTECTED] > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7682&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: grc.com under a DOS attack [7:7377]
Idunno about Priscilla and her DOS attacks... I seem to remember routergod.com taking an awful long time to load once her interview with Fabio was uploaded. Hrrrmmm... -Original Message- From: ElephantChild Sent: Thu 6/7/2001 5:20 AM To: Logan, Harold Cc: [EMAIL PROTECTED] Subject: Re: grc.com under a DOS attack [7:7377] On Wed, 6 Jun 2001, Logan, Harold wrote: > Hrmm... I don't know how much bandwidth the good people at grc have from > their ISP, but considering the number of people that have been referred > to the site from this list, and considering that the site is unavailable > right now, I'd say it looks like Priscilla just engineered a DOS attack > on the poor people at grc.com. Poor guys. Maybe I'll get to read the > article after the entire networking community gets done reading it. > > =) That wouldn't be the first time, I think. That a DOS attack occurs inadvertently, I mean. not that our resident Priscilla engineers one. Look up "slashdot effect" in the Jargon File. -- "Someone approached me and asked me to teach a javascript course. I was about to decline, saying that my complete ignorance of the subject made me unsuitable, then I thought again, that maybe it doesn't, as driving people away from it is a desirable outcome." --Me [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7537&t=7377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
In my experience, no. I've turned on IP accounting on routers doing hundreds of megabits of traffic with no noticable effects. Course, there are always the potential for bugs/instabilities in the code, but barring this I think you should be fine. Just watch the CPU via "sh proc cpu" before and immediately after turning on IP accounting. If you start seeing the CPU spike very high you can always disable the accounting. HTH, Kent On 6 Jun 2001, at 0:20, Andy Low wrote: > Hi Kent, > > Will IP accounting halt the router given 50Mbps of traffic passing > through? > > regards, > > andy > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To: > [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049] > > > Andy, > > 1) Enable IP accounting on the router interface "closest" to the > traffic in question. Watch the output of "sh ip account" and you > should be able to tell fairly quickly what the originating IP address > is of the offending station > > 2) Now you have the IP, you know which segment the station is on, look > at the local router's arp table to determine the MAC address > > 3) Look at the switch(s) to find the port the MAC is on and then > trace to the physical station and investigate > > Regards, > Kent > > On 4 Jun 2001, at 8:03, Andy Low wrote: > > > Hi, > > > > If there is a machine within my network generating high load of > > traffic, how can I detect the machine asap? > > > > I have cisco 7507 routers and catalyst 5509 switches. Which command > > should I use to check? On the catalyst switch which command can I > > use to find out port the machine is plugged to? > > > > Thanks > > > > Andy > > Nondisclosure violations to [EMAIL PROTECTED] > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7524&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: grc.com under a DOS attack [7:7377]
On Wed, 6 Jun 2001, Logan, Harold wrote: > Hrmm... I don't know how much bandwidth the good people at grc have from > their ISP, but considering the number of people that have been referred > to the site from this list, and considering that the site is unavailable > right now, I'd say it looks like Priscilla just engineered a DOS attack > on the poor people at grc.com. Poor guys. Maybe I'll get to read the > article after the entire networking community gets done reading it. > > =) That wouldn't be the first time, I think. That a DOS attack occurs inadvertently, I mean. not that our resident Priscilla engineers one. Look up "slashdot effect" in the Jargon File. -- "Someone approached me and asked me to teach a javascript course. I was about to decline, saying that my complete ignorance of the subject made me unsuitable, then I thought again, that maybe it doesn't, as driving people away from it is a desirable outcome." --Me Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7500&t=7377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: grc.com under a DOS attack [7:7377]
They have two T-1s. The article was just headlined by the latest SANS.org newsletter. Imagine that they are getting quite a few hits. > -Original Message- > From: Logan, Harold [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 06, 2001 1:06 PM > To: [EMAIL PROTECTED] > Subject: grc.com under a DOS attack [7:7377] > > > Hrmm... I don't know how much bandwidth the good people at > grc have from > their ISP, but considering the number of people that have > been referred > to the site from this list, and considering that the site is > unavailable > right now, I'd say it looks like Priscilla just engineered a > DOS attack > on the poor people at grc.com. Poor guys. Maybe I'll get to read the > article after the entire networking community gets done reading it. > > =) > > Date: Tue, 5 Jun 2001 23:55:49 -0400 > From: "Jennifer Cribbs" > Subject: Re: Interesting DOS article [7:7272] > > That was a very interesting article. I knew things like > that went on, > but > have never had a person experience of such. > I liked the detail that was gone into about the solution. I am > forwarding > the link to friends. > > Jennifer Cribbs > > 6/5/2001 9:52:31 PM, "Natasha" wrote: > > >Somewhat a long read but very enlightening. > >The article on Windows XP was just as scary. > >Thank you so much Priscilla, I'm going to pass your find on to some > >other network folks that could use it. > > > > > >>Priscilla Oppenheimer wrote: > >> > >> http://grc.com/dos/grcdos.htm > >> > >> Priscilla > >> > >> > >> > >> Priscilla Oppenheimer > >> http://www.priscilla.com > >-- > >Natasha Flazynski > >CCNA, MCSE > > http://www.ciscobot.com > >My Cisco information site. > > http://www.botbuilders.com > >Artificial Intelligence and Linux development > > > Have a great day!! > Jennifer > > [GroupStudy.com removed an attachment of type > application/ms-tnef which had > a name of winmail.dat] > Report misconduct > and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7394&t=7377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: grc.com under a DOS attack [7:7377]
An article about GRC.com was also in the SANS newsletter. Tim LeBrun CCNA, CCDA -Original Message- From: Logan, Harold [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 06, 2001 2:06 PM To: [EMAIL PROTECTED] Subject: grc.com under a DOS attack [7:7377] Hrmm... I don't know how much bandwidth the good people at grc have from their ISP, but considering the number of people that have been referred to the site from this list, and considering that the site is unavailable right now, I'd say it looks like Priscilla just engineered a DOS attack on the poor people at grc.com. Poor guys. Maybe I'll get to read the article after the entire networking community gets done reading it. =) Date: Tue, 5 Jun 2001 23:55:49 -0400 From: "Jennifer Cribbs" Subject: Re: Interesting DOS article [7:7272] That was a very interesting article. I knew things like that went on, but have never had a person experience of such. I liked the detail that was gone into about the solution. I am forwarding the link to friends. Jennifer Cribbs 6/5/2001 9:52:31 PM, "Natasha" wrote: >Somewhat a long read but very enlightening. >The article on Windows XP was just as scary. >Thank you so much Priscilla, I'm going to pass your find on to some >other network folks that could use it. > > >>Priscilla Oppenheimer wrote: >> >> http://grc.com/dos/grcdos.htm >> >> Priscilla >> >> >> >> Priscilla Oppenheimer >> http://www.priscilla.com >-- >Natasha Flazynski >CCNA, MCSE > http://www.ciscobot.com >My Cisco information site. > http://www.botbuilders.com >Artificial Intelligence and Linux development > Have a great day!! Jennifer [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7393&t=7377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
grc.com under a DOS attack [7:7377]
Hrmm... I don't know how much bandwidth the good people at grc have from their ISP, but considering the number of people that have been referred to the site from this list, and considering that the site is unavailable right now, I'd say it looks like Priscilla just engineered a DOS attack on the poor people at grc.com. Poor guys. Maybe I'll get to read the article after the entire networking community gets done reading it. =) Date: Tue, 5 Jun 2001 23:55:49 -0400 From: "Jennifer Cribbs" Subject: Re: Interesting DOS article [7:7272] That was a very interesting article. I knew things like that went on, but have never had a person experience of such. I liked the detail that was gone into about the solution. I am forwarding the link to friends. Jennifer Cribbs 6/5/2001 9:52:31 PM, "Natasha" wrote: >Somewhat a long read but very enlightening. >The article on Windows XP was just as scary. >Thank you so much Priscilla, I'm going to pass your find on to some >other network folks that could use it. > > >>Priscilla Oppenheimer wrote: >> >> http://grc.com/dos/grcdos.htm >> >> Priscilla >> >> >> >> Priscilla Oppenheimer >> http://www.priscilla.com >-- >Natasha Flazynski >CCNA, MCSE > http://www.ciscobot.com >My Cisco information site. > http://www.botbuilders.com >Artificial Intelligence and Linux development > Have a great day!! Jennifer [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7377&t=7377 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
Hi Kent, Will IP accounting halt the router given 50Mbps of traffic passing through? regards, andy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To: [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049] Andy, 1) Enable IP accounting on the router interface "closest" to the traffic in question. Watch the output of "sh ip account" and you should be able to tell fairly quickly what the originating IP address is of the offending station 2) Now you have the IP, you know which segment the station is on, look at the local router's arp table to determine the MAC address 3) Look at the switch(s) to find the port the MAC is on and then trace to the physical station and investigate Regards, Kent On 4 Jun 2001, at 8:03, Andy Low wrote: > Hi, > > If there is a machine within my network generating high load of > traffic, how can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command > should I use to check? On the catalyst switch which command can I use > to find out port the machine is plugged to? > > Thanks > > Andy > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7296&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dos Attack [7:7049]
Andy, 1) Enable IP accounting on the router interface "closest" to the traffic in question. Watch the output of "sh ip account" and you should be able to tell fairly quickly what the originating IP address is of the offending station 2) Now you have the IP, you know which segment the station is on, look at the local router's arp table to determine the MAC address 3) Look at the switch(s) to find the port the MAC is on and then trace to the physical station and investigate Regards, Kent On 4 Jun 2001, at 8:03, Andy Low wrote: > Hi, > > If there is a machine within my network generating high load of > traffic, how can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command > should I use to check? On the catalyst switch which command can I use > to find out port the machine is plugged to? > > Thanks > > Andy > Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7233&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dos Attack [7:7049]
Don't know of anyway to tell within the router/switch unless you check the traffic statistics on every single port.. I would love to know of a good way with just the router and switch to do just this... I've always has Sniffer Pro available, and it'll pinpoint your biggest "talkers" in which case you know the MAC address and can check the CAM on the switch to see which port it's connected to. Mike W. "Andy Low" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > If there is a machine within my network generating high load of traffic, how > can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command should I > use to check? On the catalyst switch which command can I use to find out > port the machine is plugged to? > > Thanks > > Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7185&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dos Attack [7:7049]
Hi Andy Try this command on catalyst 5509 "show top" It gives the top stations report. > -Original Message- > From: Andy Low [SMTP:[EMAIL PROTECTED]] > Sent: Mon, June 04, 2001 3:03 PM > To: [EMAIL PROTECTED] > Subject: Dos Attack [7:7049] > > Hi, > > If there is a machine within my network generating high load of traffic, > how > can I detect the machine asap? > > I have cisco 7507 routers and catalyst 5509 switches. Which command should > I > use to check? On the catalyst switch which command can I use to find out > port the machine is plugged to? > > Thanks > > Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7051&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Dos Attack [7:7049]
Hi, If there is a machine within my network generating high load of traffic, how can I detect the machine asap? I have cisco 7507 routers and catalyst 5509 switches. Which command should I use to check? On the catalyst switch which command can I use to find out port the machine is plugged to? Thanks Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=7049&t=7049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]