Possible UDP-flood?

Ragwing · July 3, 2008, 3:50pm

CFP 3 blocked everything, so I don’t need to worry. I could have blocked the IP, but I felt like seeing how far he/she would go.

http://img388.imageshack.us/img388/2185/n00bsp3.png

http://img55.imageshack.us/img55/919/noob2qz1.png

I only use one port for incoming traffic (uTorrent), and it’s not port 1031.

WHOIS shows this:

OrgName: Georgetown University OrgID: GEORGE-8 Address: 37th and O Streets, NW City: Washington StateProv: DC PostalCode: 20057 Country: US
NetRange: 141.161.0.0 - 141.161.255.255
CIDR: 141.161.0.0/16
NetName: GEORGETOWN-NET
NetHandle: NET-141-161-0-0-1
Parent: NET-141-0-0-0-0
NetType: Direct Assignment
NameServer: PDNS1.ULTRADNS.NET
NameServer: PDNS2.ULTRADNS.NET
NameServer: PDNS3.ULTRADNS.ORG
NameServer: PDNS4.ULTRADNS.ORG
NameServer: PDNS5.ULTRADNS.INFO
NameServer: PDNS6.ULTRADNS.CO.UK
Comment:
RegDate: 1990-07-31
Updated: 2008-07-01

OrgAbuseHandle: UISO-ARIN
OrgAbuseName: University Information Security Officer
OrgAbusePhone: +1-202-687-3611
OrgAbuseEmail: abuse@georgetown.edu

OrgNOCHandle: CNA36-ARIN
OrgNOCName: Chief Network Architect
OrgNOCPhone: +1-202-687-3611
OrgNOCEmail: eets-eae@georgetown.edu

OrgTechHandle: CNA36-ARIN
OrgTechName: Chief Network Architect
OrgTechPhone: +1-202-687-3611
OrgTechEmail: eets-eae@georgetown.edu

ARIN WHOIS database, last updated 2008-07-02 19:10

Enter ? for additional hints on searching ARIN’s WHOIS database.

Logs attached in case someone’s interested 88)

Any idea about this?

Cheers,
Ragwing

[attachment deleted by admin]

riggers · July 3, 2008, 10:12pm

Any idea how they bypassed your router rag?

kail · July 3, 2008, 10:17pm

Rag, do you use PeerGuardian? I ask, since I think George Town Uni is one of PG’s List mirrors.

Kyle142 · July 4, 2008, 10:58am

Wow that’s weird. I have had the same for quite a while now, I’ll post a picture. I’ve tried deleting previous entries of " Windows operating system "

Edit: I noticed that UDP and the IP address being 192.168.1.254 ← That’s the address of my router.

[attachment deleted by admin]

Ragwing · July 4, 2008, 5:41pm

No, I don’t have any idea.
I have SPI (Stateful Packet Inspection) enabled, and some option called DOS protection or something.
Still, I can’t be sure it was a DOS-attack, but it looks very suspicious with 2000+ blocked intrusions from a single IP.

No, I don’t use it. And shouldn’t PeerGuardian use port 80 or something for updating?

Cheers,
Ragwing

Ehgreg · July 4, 2008, 7:02pm

Disable the ssdp and upnp services. What version of msn menssenger are you using ?

grue155 · July 4, 2008, 7:33pm

Weird. You got a good one here.

First up, remember that CFP isn’t showing you the entire log. It’s giving you a representation of the log, with duplicates and near duplicates removed. If you’re seeing 2k entries displayed, you’ve probably got 5x times that in the raw log.

And, second, UDP is very easy to spoof. The actual sending IP can be just about anything. There’s no handshake like there is in TCP. Not that TCP can’t be spoofed, but it is a whole lot harder.

I’ll presume that you’re not using the factory defaults for router passwords, per topic elsewhere.

The suggestion to turn off UPnP is a good one. I don’t know if a browser reflection attack on UPnP is possible, but I wouldn’t discount the possibility.

Have you taken any packet captures with Wireshark or some other network monitor?

Kyle142 · July 5, 2008, 2:26am

Hey, I turned off UPnP at the router, shortly after firewall alert poped up, Windows operating system was trying to connect, I didn’t allow it. I’ll try out wireshark now and get back to you. Thanks for the help

Ehgreg · July 5, 2008, 4:32am

I’ve gotten alot of blocked Icmp entries in log but thats just my router pinging me. Source port (type 8 ) > destination port (code 0) . Thats just cause I left the default global setting for now. I don’t have anyone on the LAN . When I did, I never shared anything with my brother. I’m behind NAT/router. I swear he caused me to be Dos’d but that was awhile back. Your ICMP code is different tho.

grue155 · July 5, 2008, 1:49pm

Your router is pinging you? A ping (ICMP 8.0, as you show) from a router is manual operation, and not something a router does on its own. A router uses arp, not ping, to find things. This doesn’t sound right, or good, or both.

What kind of router, make & model?

Kyle142 · July 5, 2008, 2:25pm

after disabling UPnP in the router, everything is fine Thankyou

rhgtyink · July 5, 2008, 4:51pm

I think there are a few possibles here.

you have an application that connects/connected with the host on port 23400, you application crashed and the system doesn’t know where to leave the packets (seen this before, also with Kerio Firewall).
this is something like http://www.cyberciti.biz/tips/howto-linux-iptables-bypass-firewall-restriction.html skype uses, send a packet out to “confuse” the non stateful firewall (simple router).
there has been an increased scan on port 1031 udp see Port 1031 (tcp/udp) Attack Activity - SANS Internet Storm Center
but based on the timestamps your not in the peak range.

system · July 5, 2008, 4:59pm

Same for me sometimes, but I’ve the feeling that it was only when I’m on MSN(stealth my ports to everyone and behind a router)

http://img89.imageshack.us/img89/3457/icmpbb8.th.jpg

rhgtyink · July 5, 2008, 5:24pm

This is not the “normal ping” icmp echo/reply but a message telling you pc you are trying to connect to a port that is unreachable (icmp 3/3) or a host 3/1 (the top message). So you have outgoing traffic to a system that’s not listening on that port then it should send you this message telling you it is not available.
So it’s nothing to worry about, if you don’t like this to mess up your logging make a global deny rule without logging.

see Internet Control Message Protocol (ICMP) Parameters for the complete list of icmp Types and Codes.
Or check the RFC on RFC 792 - Internet Control Message Protocol (RFC792)

3 Destination Unreachable [RFC792]

Codes
        0  Net Unreachable                            [RFC792]
        1  Host Unreachable                           [RFC792]
        2  Protocol Unreachable                       [RFC792]
        3  Port Unreachable                           [RFC792]
        4  Fragmentation Needed and Don't             [RFC792]
           Fragment was Set                           [RFC792]
        5  Source Route Failed                        [RFC792]
        6  Destination Network Unknown                [RFC1122]
        7  Destination Host Unknown                   [RFC1122]
        8  Source Host Isolated                       [RFC1122]
        9  Communication with Destination             [RFC1122]
           Network is Administratively Prohibited    
       10  Communication with Destination Host is     [RFC1122]
           Administratively Prohibited
       11  Destination Network Unreachable for Type   [RFC1122]
           of Service
       12  Destination Host Unreachable for Type of   [RFC1122]
           Service
       13  Communication Administratively Prohibited  [RFC1812]
       14  Host Precedence Violation                  [RFC1812]
       15  Precedence cutoff in effect                [RFC1812]

grue155 · July 5, 2008, 6:10pm

So it's nothing to worry about, if you don't like this to mess up your logging make a global deny rule without logging.

ICMP 3.1 and 3.3 are the more common error conditions that get reported, and blocking those can make surfing slow down to a crawl while fetches go thru a packet timeout. I’ve found it to usually be better to make Global Rules to accept ICMP 3.1 and 3.3 so the applications get the “sorry, no one home right now” instead of waiting.

Ehgreg · July 5, 2008, 6:36pm

Ah I made a mistake. Type 8 from the router is ‘Echo’ and the host code 0 would be ‘net unreachable’ ? Is that right ? If left that way it would slow down browsing ?

grue155 · July 5, 2008, 6:46pm

Nope, you had it right. CFP logging shows ICMP information a little differently.

ICMP packets are a type, and a code within that type. A type 8 (an “echo request”, better known as a ping), does not have any codes or subtypes. So a zero is used as a placeholder. So you get an ICMP 8.0.

CFP logging puts the type in the source port, and the subtype code into the destination port.

Note that the zero code for the ICMP subtype does not mean “any” or “none”. For example, ICMP 3.0 has a very special meaning, as does 5.0. It’s the case for ICMP 8, that the zero is used as a placeholder. It’s just the way things got defined way back when.

Ehgreg · July 5, 2008, 7:11pm

Thx Grue

Ragwing · July 6, 2008, 5:56pm

I don’t think that’s the case, as I was only browsing. If this was the reason for why, the destination port should’ve been 80 or 443.
Also, I’ve never ever seen more blocked intrusions than about 10 in one day or something.

But I believe a port scan would’ve had one blocked entry for each port, and not only port 1031?

Cheers,
Ragwing

rhgtyink · July 6, 2008, 6:34pm

It could be sending different probes to the same port overtime to “detect” the os version and such.
Or the exploit could take a sequence of packets for the “attack” to be successful.

that way you are seeing a lot of log entries from the same server, however keeping the source port the same is suspicious, i would suspect a incrementing source port. A tcpdump could be very interesting to investigate.

as for option 3 i didn’t suggest a port scan, a increased scan specific for port 1031 vulnerabilities. (:WIN)