Everyone - please disregard commenting to this message. I finally found out what is
going on here. The captures here are from a session of Veritas Backup Exec backing up
the Log data from the ISA server. Backup Exec runs on <Fileserver>. This was
originally unknown to me because the site admins told me that nothing, not even
Veritas, was running at the time of this incident. Running a major backup during peak
network usage is a sure formula for killing the file server!
-----Original Message-----
From: NT Security
Sent: Wed 9/18/2002 8:59 PM
To: [EMAIL PROTECTED]
Cc:
Subject: File server getting DoSd by forged packets???
Sorry for the length but this is a real problem to me!
I've spent a lot of time reading this forum but only recently, due to
budget cuts, been forced into a security position. And now I'm having a
BIG problem! One of my networks (NOT Knightworld.net!) has a file server
that is occasionally locking up, and it takes most of the network with
it. The whole network is slow until we reboot this machine. Sounds like
a DoS attack, but here's where my knowledge ends. I finally got a Netmon
capture of this incident. The File Server is being flooded with packets
from the MS ISA server. The pattern of these packets is very distinct, 1
frame from <Fileserver> to <ISA>, which has 40 length (20 header, 20
payload), followed by 2 or 3 frames from <ISA> to <Fileserver>. Each of
these frames is exactly 1500. Considering there were over 100,000 of
these frames in the space of 30 seconds, that's very odd!
On examining the payload of these frames, I can't discern anything in
the small frames. But the large frames (1500 length) have a very weird
payload, some of which I've copied at the bottom of this email. The
payload of these packets is HTTP header data. The source IP is something
in the 147.100.x.x range (this site switched from 147.100.x.x to a 10.x
scheme in July 2002). The date & timestamp are the strangest -
6/21/2002! This capture was taken Monday 9/16/2002. So I have to now
believe that someone captured legitimate packets in June, and is now
crafting packets and using them to DoS <fileserver>.
My questions:
What should I be looking for here? What tool is likely being used to do
this, and how can I find it's source? My site is a technical college,
students store files on <fileserver> but I don't know what to look for
there. Any help is GREATLY appreciated. Please email me directly at
[EMAIL PROTECTED] if you would like to see additional packet
captures or receive more info.
000001E0 73 09 43 61 63 68 65 09 30 0D 0A 31 34 37 2E 31
s.Cache.0..147.1
000001F0 30 30 2E 32 2E 32 36 09 53 41 43 4E 45 54 5C 4A
00.2.26.SACNET\J
00000200 65 6E 6E 69 66 65 72 2E 42 72 65 77 73 74 65 72
ennifer.Brewster
00000210 09 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F
.Mozilla/4.0.(co
00000220 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36
mpatible;.MSIE.6
00000230 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35
.0;.Windows.NT.5
00000240 2E 30 29 09 32 30 30 32 2D 30 36 2D 32 31 09 31
.0).2002-06-21.1
00000250 39 3A 33 38 3A 33 38 09 53 41 43 49 53 41 09 2D
9:38:38.SACISA.-
00000260 09 70 61 67 65 73 2E 65 62 61 79 2E 63 6F 6D 09
.pages.ebay.com.