Re: icmp: echo reply? Am I being attacked?
On Thu, Jul 27, 2000 at 08:56:21AM +0100, Nuno Faria wrote: Yes, I had already noticed that when I ping a machine, the packets show up in tcpdump as a series of echo-requests and echo-replys, but in this case I can't find the echo-requests. Try "tcpdump icmp". That will show you all icmp traffic. Look for echo requests coming from the remote system, especially going to a broadcast address. (Something like x.x.x.255) Let us know what you find. -- Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: icmp: echo reply? Am I being attacked?
Yes, I had already noticed that when I ping a machine, the packets show up in tcpdump as a series of echo-requests and echo-replys, but in this case I can't find the echo-requests. I do think that the computer adress from where the atacks are coming from should not be correct as it changes quite frequently. As I write this e-mail, my computer is being attacked. I logged the output of a few seconds of tcpdump host xenon4 to the file http://xenon4.fe.up.pt/tcpdump_results . I would have no problem assuming that someone would have compromised my computer but this problem happens on all computers on the local network that run Linux or Digital Unix. Thats why I think it could be an exploit of some particularity specific to Unix systems. Nuno Faria John Vivian wrote: From the looks of things, your computer (neural1.fe.up.pt) is being pinged by the remote computer (bozzman.comesurfthe.net). The output you quoted in your e-mail is your computer's response to the ping. A 'ping' consists of two types of ICMP packets; an echo-request, and an echo-reply. Take a look at the network traffic for echo-requests from the hosts that your machine is sending the echo-reply to; you should see them. i may be incorrect with this next statement (corrections anyone?), if you do not see any echo-requests that correspond to the echo-replys you are seeing, then it may be possible that someone has compromised your machines. This is probably not the case, though i can't say for certain. The bottom line is that if you see the echo-requests, then mystery solved. Otherwise, you may wish to post again with more details. Hope this helps. Can anyone else provide more info? -- John Vivian Exxecom Network Security Analyst -- -Original Message- From: Nuno Faria [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2000 2:42 PM To: debian-security@lists.debian.org Subject: icmp: echo reply? Am I being attacked? Dear list members, First of all let me state where I stand. I've been using Linux (Debian) for one year now. During this year I've learnt quite a lot but on the issue of network and security I'm a complete newby. Now I think I have a security problem (although it is not exclusively mine). The problem is as follows: I am the administrator of three PCs in a local network. They all have real IP adresses. Sometimes, withou any aparent reason, some of the computers in this network start producing network trafic without any aparent reason. I do netstat and there is no indication of a network conection. I do tcpdump host machinename and I get a series of: 17:32:27.620336 neural1.fe.up.pt bozzman.comesurfthe.net: icmp: echo reply not necessarily with the same machine adress (bozzman.comesurfthe.net). The increase in the network trafic can be as high as 50kB/s. This is not a Debian or Linux specific problem as it also hapens on another machin running Digital Unix, but on the other hand, if I change one of the PCs from Linux to Win NT4 the problem stops. It reapears when I change it back to Linux. Can you help me? Can you point me to some document I might read to find information related to this subject? Thanks in advance, Nuno Faria -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: icmp: echo reply? Am I being attacked?
OK, it's done! I have tried: tcpdump icmp tcpdump_results2 and tcpdump icmp tcpdump_results3. The files are at: http://xenon4.fe.up.pt/tcpdump_results2 and http://xenon4.fe.up.pt/tcpdump_results3 Ranko Veselinovic [EMAIL PROTECTED] sent me privatly the followin e-mail which I think might be relevant for the issue in question: ___ I'm not sure but I think when you send an ICMP ECHO-Request to a broadcast address that the whole network will answer whit echo-replys. I think this is a kind of smurf-attack and the address where the replys where sent is the target of the attacker. You were just abuse for this attack. greets Ranko Now I think I'm starting to understand what has been going on. In fact, there are several echo request to the adress 193.136.29.0 (my IP adress is 193.136.29.189). What I still don't understand is why windows machines don't reply to this atack and Unix machines do. Also, do you know how can I block this atack? Anyway, thank you for bringing some light into my mind. At least now I have an idea of what has been going on. Nuno Faria Michael Stone wrote: On Thu, Jul 27, 2000 at 08:56:21AM +0100, Nuno Faria wrote: Yes, I had already noticed that when I ping a machine, the packets show up in tcpdump as a series of echo-requests and echo-replys, but in this case I can't find the echo-requests. Try tcpdump icmp. That will show you all icmp traffic. Look for echo requests coming from the remote system, especially going to a broadcast address. (Something like x.x.x.255) Let us know what you find. -- Mike Stone
Correction to Re: icmp: echo reply? Am I being attacked?
I'm sorry, the first line of the previous e-mail is wrong! It was: I have tried: tcpdump icmp tcpdump_results2 and tcpdump icmp tcpdump_results3. it should have been: I have tried: tcpdump icmp tcpdump_results2 and tcpdump icmp |grep request tcpdump_results3. Nuno Faria
Re: icmp: echo reply? Am I being attacked?
On Thu, Jul 27, 2000 at 01:15:13PM +0100, Nuno Faria wrote: Ranko Veselinovic [EMAIL PROTECTED] sent me privatly the followin e-mail which I think might be relevant for the issue in question: ___ I'm not sure but I think when you send an ICMP ECHO-Request to a broadcast address that the whole network will answer whit echo-replys. I think this is a kind of smurf-attack and the address where the replys where sent is the target of the attacker. You were just abuse for this attack. Yes, you've been used as a smurf amplifier. The best course of action is to not route broadcast addresses. (I.e., packets going to .0 are blocked at the router.) Another approach is to echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts on the linux machines. (Try putting it in a startup script.) That will keep them from replying to broadcast echos. -- Mike Stone
RE: icmp: echo reply? Am I being attacked?
Just a small correction: the broadcast address is (typically) .255, but a bit of experimentation has shown that pings to .0 and .255 result in the same response. You would be best to block both. Also, assuming that you used the command tcpdump icmp, you should see the echo request being sent to the broadcast address. Of course, as stated previously, the source of the echo request can easily be forged. Lastly, it seems as though Windows machines don't reply to pings to broadcast addresses; *nix machines, however, will. This is the likely explaination as to why all the *nix boxes were exhibiting this behaviour. As Michael Stone stated, broadcast traffic (at least ICMP) should be filtered at the router. Also disabling broadcast ICMP on the Linux boxes is a good idea regardless of the filtering on the router. Hope this helps somewhat. -- John Vivian Exxecom Network Security Analyst -- -Original Message- From: Michael Stone [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2000 9:46 AM To: Nuno Faria Cc: debian-security@lists.debian.org Subject: Re: icmp: echo reply? Am I being attacked? On Thu, Jul 27, 2000 at 01:15:13PM +0100, Nuno Faria wrote: Ranko Veselinovic [EMAIL PROTECTED] sent me privatly the followin e-mail which I think might be relevant for the issue in question: ___ I'm not sure but I think when you send an ICMP ECHO-Request to a broadcast address that the whole network will answer whit echo-replys. I think this is a kind of smurf-attack and the address where the replys where sent is the target of the attacker. You were just abuse for this attack. Yes, you've been used as a smurf amplifier. The best course of action is to not route broadcast addresses. (I.e., packets going to .0 are blocked at the router.) Another approach is to echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts on the linux machines. (Try putting it in a startup script.) That will keep them from replying to broadcast echos. -- Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: icmp: echo reply? Am I being attacked?
* John Vivian ([EMAIL PROTECTED]) [000727 10:43]: Just a small correction: the broadcast address is (typically) .255, but a bit of experimentation has shown that pings to .0 and .255 result in the same response. You would be best to block both. I seem to remember reading somewhere that in the original implementations of IP xxx.xxx.xxx.0 was a broadcast address. I think the early BSD's worked this way. Sometime or another everyone decided to use xxx.xxx.xxx.255, but I guess some IP stacks still support both.?. I wish I could remember where I read this so that I could provide a pointer. TCP/IP Illustrated V2. has a small blurb about accepting an IP address of all 1's or all 0's as a broadcast, but it doesn't go into any detail or supply any historical context. -- --- Nathan Valentine - [EMAIL PROTECTED] University of Kentucky Distributed Computing Systems Lab AIM: NRVesKY ICQ: 39023424
Re: icmp: echo reply? Am I being attacked?
Thank you very much for your help. I will now contact the person in charge of the local network and explain exactly what you have told me. I had already reported this attack but they were unable to solve the problem... If this doesn't work I will try to block these ping broadcasts at the local Unix/Linux machines like Michael Stone sugested. Anyway, this list has won another subscriber and I will do my best to learn as much as I can about Linux security so that I can also be of some help to others. Nuno Faria
icmp: echo reply? Am I being attacked?
Dear list members, First of all let me state where I stand. I've been using Linux (Debian) for one year now. During this year I've learnt quite a lot but on the issue of network and security I'm a complete newby. Now I think I have a security problem (although it is not exclusively mine). The problem is as follows: I am the administrator of three PCs in a local network. They all have real IP adresses. Sometimes, withou any aparent reason, some of the computers in this network start producing network trafic without any aparent reason. I do netstat and there is no indication of a network conection. I do tcpdump host machinename and I get a series of: 17:32:27.620336 neural1.fe.up.pt bozzman.comesurfthe.net: icmp: echo reply not necessarily with the same machine adress (bozzman.comesurfthe.net). The increase in the network trafic can be as high as 50kB/s. This is not a Debian or Linux specific problem as it also hapens on another machin running Digital Unix, but on the other hand, if I change one of the PCs from Linux to Win NT4 the problem stops. It reapears when I change it back to Linux. Can you help me? Can you point me to some document I might read to find information related to this subject? Thanks in advance, Nuno Faria
RE: icmp: echo reply? Am I being attacked?
From the looks of things, your computer (neural1.fe.up.pt) is being pinged by the remote computer (bozzman.comesurfthe.net). The output you quoted in your e-mail is your computer's response to the ping. A 'ping' consists of two types of ICMP packets; an echo-request, and an echo-reply. Take a look at the network traffic for echo-requests from the hosts that your machine is sending the echo-reply to; you should see them. i may be incorrect with this next statement (corrections anyone?), if you do not see any echo-requests that correspond to the echo-replys you are seeing, then it may be possible that someone has compromised your machines. This is probably not the case, though i can't say for certain. The bottom line is that if you see the echo-requests, then mystery solved. Otherwise, you may wish to post again with more details. Hope this helps. Can anyone else provide more info? -- John Vivian Exxecom Network Security Analyst -- -Original Message- From: Nuno Faria [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2000 2:42 PM To: debian-security@lists.debian.org Subject: icmp: echo reply? Am I being attacked? Dear list members, First of all let me state where I stand. I've been using Linux (Debian) for one year now. During this year I've learnt quite a lot but on the issue of network and security I'm a complete newby. Now I think I have a security problem (although it is not exclusively mine). The problem is as follows: I am the administrator of three PCs in a local network. They all have real IP adresses. Sometimes, withou any aparent reason, some of the computers in this network start producing network trafic without any aparent reason. I do netstat and there is no indication of a network conection. I do tcpdump host machinename and I get a series of: 17:32:27.620336 neural1.fe.up.pt bozzman.comesurfthe.net: icmp: echo reply not necessarily with the same machine adress (bozzman.comesurfthe.net). The increase in the network trafic can be as high as 50kB/s. This is not a Debian or Linux specific problem as it also hapens on another machin running Digital Unix, but on the other hand, if I change one of the PCs from Linux to Win NT4 the problem stops. It reapears when I change it back to Linux. Can you help me? Can you point me to some document I might read to find information related to this subject? Thanks in advance, Nuno Faria -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: icmp: echo reply? Am I being attacked?
John Vivian [EMAIL PROTECTED] a écrit : | A 'ping' consists of two types of ICMP packets; an echo-request, | and an echo-reply. | | Take a look at the network traffic for echo-requests from the | hosts | that your machine is sending the echo-reply to; you should see | them. It should be better to look for echo-requests addressed to neural1.fe.up.pt since source address of the echo-requests could be forged. | i may be incorrect with this next statement (corrections anyone?), | if | you do not see any echo-requests that correspond to the | echo-replys | you are seeing, then it may be possible that someone has compromised | your machines. This is probably not the case, though i can't say | for | certain. The bottom line is that if you see the echo-requests, | then | mystery solved. Otherwise, you may wish to post again with more | details. | | Hope this helps. Can anyone else provide more info? I do not know any other reason for echo-replys... -- o-o [EMAIL PROTECTED] (Michel Verdier) http://www.chez.com/mverdier
