DoS on ftp port
Just wondering if anyone else has seen this happen recently: https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html We maxed out at about 10,000 flows/sec. I'm currently going back through our argus logs and collecting a list of source hosts (all appear to be spoofed of course). In a 15 minute period we had 4.2 million unique hosts pounding one of our servers. The only reason I post this is that on some other off-campus machines I maintain, I've seen an increase in ftp connections. So, I was wondering if this is some new worm, ddos, or something of that nature. If anyone would care to comment, I'm all ears. Brian -- Brian Wilson [EMAIL PROTECTED] Network Analyst W: 919.513.3472 Communication TechnologiesF: 919.513.1893 North Carolina State Universityhttp://www.ncstate.net
Re: DoS on ftp port
On Tue, 21 May 2002, Brian Wilson wrote: Just wondering if anyone else has seen this happen recently: https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html We maxed out at about 10,000 flows/sec. I'm currently going back through our argus logs and collecting a list of source hosts (all appear to be spoofed of course). In a 15 minute period we had 4.2 million unique hosts pounding one of our servers. The only reason I post this is that on some other off-campus machines I maintain, I've seen an increase in ftp connections. So, I was wondering if this is some new worm, ddos, or something of that nature. If anyone would care to comment, I'm all ears. Oh, FYI.. This happened between 6 and 7 am EST this morning (5/21/2002). Normal traffic for us at this time is 50Mbps, but at this time it peaked out at about 130Mbps. Also, and someone referred me to this: http://www.dshield.org/port_report.php?port=21 Brian -- Brian Wilson [EMAIL PROTECTED] Network Analyst W: 919.513.3472 Communication TechnologiesF: 919.513.1893 North Carolina State Universityhttp://www.ncstate.net
Re: DoS on ftp port
Hi, Brian. ] https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. Yes, the folks behind these activities do test for all three. The warez botnet scanning is generally for Windows hosts vulnerable to a cornucopia of sploits. These machines are then infected with a bot that will join a warez botnet. These warez bots will then respond to the commands issued in the channel. Some of them even issue helpful messages when you join the warez channel (real log snippet): To request a file type: /msg A send FILE Sadly, some malware is more user friendly than commercial software. :p The tools to locate the anonymous FTP servers are automated, though they are not worms. The tools to spread the warez bots can have worm-like behaviours. Now about your flows... It is very possible that you have a server that has been tagged. This server may be part of a distributed wareznet serving up movies, MP3s, malware, pr0n, and other nasties. If the server(s) now part of the warez network have popular things on them, you will take quite a beating on bandwidth. By the way, several of the warez bots are also flooders, e.g. can be used to packet victims. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
Re: DoS on ftp port
Rob Thomas wrote: There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. ... One things I know of that helps here is to make sure you never have a single directory that is both readable and writeable to an anonymous user. In general, restrict writing to users with logins and passwords. If you must have an anonymous-write directory (like an incoming folder), make sure that that directory is not also readable by anonymous users. This probably won't eliminate all the abuse, but it should make it impractical enough that the warez servers will probably start looking elsewhere. -- David
Re: DoS on ftp port
In addition to David's suggestion, you would also want to ensure that newly create files are umasked unreadable as well. Should the directory be masked unreadable but still executable (which it must be to actually enter it) users could still externally link to the files, even though one could not view them in a directory listing. [EMAIL PROTECTED] wrote: Rob Thomas wrote: There is a huge increase in FTP scanning as well as the building of warez botnets. The warez scanning is generally for anonymous FTP servers with plentiful bandwidth, copious disk space, and generous write permissions. ... One things I know of that helps here is to make sure you never have a single directory that is both readable and writeable to an anonymous user. In general, restrict writing to users with logins and passwords. If you must have an anonymous-write directory (like an incoming folder), make sure that that directory is not also readable by anonymous users. This probably won't eliminate all the abuse, but it should make it impractical enough that the warez servers will probably start looking elsewhere. -- David
Re: DoS on ftp port
I saw a similar type of attack at the same time to one of my customers.. not got all the details in yet, odd tho. If anyone knows more will you CC me in case its related, Cheers STeve On Tue, 21 May 2002, Brian Wilson wrote: On Tue, 21 May 2002, Brian Wilson wrote: Just wondering if anyone else has seen this happen recently: https://uni01nf.unity.ncsu.edu/ncsu/usage/io-fps-service-daily.html We maxed out at about 10,000 flows/sec. I'm currently going back through our argus logs and collecting a list of source hosts (all appear to be spoofed of course). In a 15 minute period we had 4.2 million unique hosts pounding one of our servers. The only reason I post this is that on some other off-campus machines I maintain, I've seen an increase in ftp connections. So, I was wondering if this is some new worm, ddos, or something of that nature. If anyone would care to comment, I'm all ears. Oh, FYI.. This happened between 6 and 7 am EST this morning (5/21/2002). Normal traffic for us at this time is 50Mbps, but at this time it peaked out at about 130Mbps. Also, and someone referred me to this: http://www.dshield.org/port_report.php?port=21 Brian
