[8574] in bugtraq
Denial of service in mibiisa? Possible "newsmurf"?
daemon@ATHENA.MIT.EDU (Erik Parker)
Mon Nov 16 22:37:24 1998
Date: Mon, 16 Nov 1998 14:25:11 -0600
Reply-To: Erik Parker <netmask@303.ORG>
From: Erik Parker <netmask@303.ORG>
To: BUGTRAQ@NETSPACE.ORG
Today one of our networks was almost destroyed by an attack,
which appeared to effect SNMP, and was machine specific, packets
came into one of our machines, and dropped the network. We called our
upstream, and they told us that 100% of our T3 was filled. On an average
day we use maybe 15M, but it was maxing it to 45. After not being able
to get any response from the machine, and unplugging the ethernet,
we could login via console, and noticed "mibiisa" was running using 98%
CPU usage.
We run the command with "mibiisa -p 32811"
Our upstream thought it was a smurf, however a smurf wouldn't have
attacked just snmp. From just the small amount of logs that they sent
us, there were 203 unique hosts that sent the attack. Logs looking like
this:
Nov 16 13:15:28: %SEC-6-IPACCESSLOGP: list 105 permitted tcp
1.1.1.1(0) -> 0.0.0.0(0), 1 packet
I had heard that there were alteration of the "smurf" attack, but
could this be one of them?
*---------------------*
| Erik Parker |
| netmask@303.org |
| IDC NetOps |
*---------------------*
|
*--------------------------------*
| http://www.303.org/ |
| ICQ # 9780056 |
| talk netmask@spiff.idir.net |
*--------------------------------*
