Results 1 to 10 of 10

Thread: My network is DDOS-ing, could use a little help please

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    274

    My network is DDOS-ing, could use a little help please

    So the background....

    My network is as slow as pond water and MRTG shows a HUGE spike in outbound traffic.
    Debugging ip packet detail on the routers doesn't show anything unusual, and my ACL's are not taking massive hits (like they did when Welchia went wild) so I span the port on my switch that connects to my router and hook up my laptop to it to do an ethereal capture. My poor router is taking about 10000 packets per second from my LAN. When I sort the traffic I see that I have what appears to be dozens of addresses sourced from outside my network SYN flooding two sites. Fortunately, all the SYNs are coming from the 4000 range, so I quickly write an ACL blocking tcp 4000 - 4999. By monitoring the ACL's, and with some help from my interns unplugging patch cords one at a time while I watch the ACL we isolate it to three machines that are sending all this traffic. Those machines are currently unplugged from the network.

    So it appears to me that I have some sort of infection that is creating embryonic tcp connections to two pre-determined sites. It also appears that this infection is spoofing it's source address, and changing that source several times per second. All three machines have the most recent Symantec DAT files on them, and all three turned up clean in a virus scan performed this morning. Now it's time to really start digging. It is my hope that someone here might be able to point me in the right direction to find what is causing this.

    Thanks,
    TK

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    Sounds like someone either got into your network and unleashed something they made themselves or someone already inside your network unleashed a homebrew... I would say see what all is running on the 3 boxes you took off. Use netstat and fport to see what all is trying to access the network.
    [H]ard|OCP <--Best hardware/gaming news out there--|
    pwned.nl <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

  3. #3
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    it could also be a zombie type IRC timebomb DDoS attack... have you tried doing a port scan ex: computer 1 to computer 2 -- just because norton doesn't pick it up doesn't mean it's not a virus, it could be a brand new one that is not in the dats yet...
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  4. #4
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    TK !!!

    sup man ? sorry to bash in the thread here, but i gotta say hello
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Is there any significance in the Targets themselves.... Is it like the FBI for example or are they "nothing" IP's out there?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    The sites we are DDOS-ing don't seem to be very significant. They are both an art supplier. E-business dealing in prints, posters, clip-art, etc. As for the (presumably) spoofed IP's we're using, the first few I tried to investigate, and they seem to be randomly generated addressess. I stopped chasing that one down a while ago to focus on trying to figure out what it is that is hitting us.

    I thought that with the three machines offline that the building was clean, but then I saw the same thing happen again. I figured that someone must have turned on their machine that had been off previously. Well, after running around trying to make sure that everyones machine is on, it seems to have stopped spontaneously. Freakin' great. Sure not making it easy for me to track down. Even my Fluke one touch plugged into the spanned port is not reporting anything as a top talker. Presumably because it is only sending SYN's with a bogus IP that can't be reached with an ACK.

    Anyway, still trying to chase down the ghosts in my machines. Thanks for the help.

    And shrekkie.....how you doing buddy?

    TK

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Update....

    Found a fourth machine exhibiting the same behavior. A little digging through the AV logs shows that all of them had previously had a w32.gaobot infection. The logs report that the viruses were sucessfully gotten rid of, however, it would appear that someone managed to get something else in with it. I'm looking for evidence of the IRC channel gaobot opens on those four boxes as we speak.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Have you run FPort yet when this thing is running?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Yes, I've run fport. It doesn't identify the service.

    I have some open ports, (blocked now) but I didn't learn anything that I didn't find out from netstat -a

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Alright, more update.

    Tracked down an infected machine and found what was causing the SYN flood. It was netmon.exe*.pf. Deleting the prefetch stopped the SYN attack. Tied that into a service called 'network client'. Stopping and starting the service stops and starts the flood.

    Did a bunch of googling and the only thing I could find that actively infects netmon.exe is w32.mimail, which this doesn't appear to be.
    Anyway, long story short, I've sent a copy of the executable to symantec, and maybe we'll find out what it is soon.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •