Domain and Radius Stack Overflow attcks

Edouard Soriano <edouard.soriano@dapsys.com> · Sun, 06 Oct 2002 19:47:22 GMT



Hello people,
Since a few days our Internet system receives Stack Overflows attacks 
using domain and radius ports.
One main rule of our firewall is DENY on input queue of all packets 
coming from reserved IANA IP address.
My system is keepbusy receiving a tremendous amount of data according 
with the following messages:
Oct 6 17:30:40 www kernel: Packet log: input DENY ppp0 PROTO=17 
68.14.242.126:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=46 
(#36)
Oct 6 17:30:40 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.247.74.3:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=50 (#48)
Oct 6 17:30:43 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.18.95.58:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=49 (#48)
Oct 6 17:30:43 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.247.64.18:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=50 (#48)
Oct 6 17:30:43 www kernel: Packet log: input DENY ppp0 PROTO=17 
24.222.207.121:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=44 
(#22)
Oct 6 17:30:44 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.160.2:53 212.147.15.189:32768 L=221 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:30:44 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.170.2:53 212.147.15.189:32768 L=174 S=0x00 I=0 F=0x4000 T=53 (#48)
Oct 6 17:30:45 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.162.4:53 212.147.15.189:32768 L=163 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:30:46 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.48.239.61:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:30:47 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.170.2:53 212.147.15.189:32768 L=114 S=0x00 I=0 F=0x4000 T=53 (#48)
Oct 6 17:30:52 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.18.95.58:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=49 (#48)
Oct 6 17:30:52 www kernel: Packet log: input DENY ppp0 PROTO=17 
67.104.87.131:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=42 
(#35)
Oct 6 17:30:53 www kernel: Packet log: input DENY ppp0 PROTO=17 
219.55.112.42:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=44 
(#66)
Oct 6 17:30:53 www kernel: Packet log: input DENY ppp0 PROTO=17 
67.104.87.131:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=42 
(#35)
Oct 6 17:30:54 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.162.4:53 212.147.15.189:32768 L=174 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:30:55 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.170.2:53 212.147.15.189:32768 L=163 S=0x00 I=0 F=0x4000 T=53 (#48)
Oct 6 17:30:56 www kernel: Packet log: input DENY ppp0 PROTO=17 
67.115.4.90:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=50 (#35)
Oct 6 17:30:58 www kernel: Packet log: input DENY ppp0 PROTO=17 
24.73.107.95:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=47 (#22)
Oct 6 17:30:59 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.173.194:53 212.147.15.189:32768 L=210 S=0x00 I=47289 F=0x0000 T=50 
(#48)
Oct 6 17:31:00 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.86.109.50:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=47 (#48)
Oct 6 17:31:00 www kernel: Packet log: input DENY ppp0 PROTO=17 
24.132.67.61:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=53 (#22)
Oct 6 17:31:01 www kernel: Packet log: input DENY ppp0 PROTO=17 
24.129.182.30:1812 212.147.15.189:1812 L=69 S=0x00 I=0 F=0x4000 T=46 
(#22)
Oct 6 17:31:02 www kernel: Packet log: input DENY ppp0 PROTO=17 
81.28.161.22:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:31:03 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.162.4:53 212.147.15.189:32768 L=114 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:31:04 www kernel: Packet log: input DENY ppp0 PROTO=17 
24.72.25.217:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=52 (#22)
Oct 6 17:31:04 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.170.2:53 212.147.15.189:32768 L=163 S=0x00 I=0 F=0x4000 T=53 (#48)
Oct 6 17:31:04 www kernel: Packet log: input DENY ppp0 PROTO=17 
67.105.93.55:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=40 (#35)
Oct 6 17:31:05 www kernel: Packet log: input DENY ppp0 PROTO=17 
80.67.162.4:53 212.147.15.189:32768 L=163 S=0x00 I=0 F=0x4000 T=52 (#48)
Oct 6 17:31:05 www kernel: Packet log: input DENY ppp0 PROTO=17 
67.104.87.131:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=42 
(#35)
Oct 6 17:31:06 www kernel: Packet log: input DENY ppp0 PROTO=17 
219.240.82.100:1812 212.147.15.189:1812 L=88 S=0x00 I=0 F=0x4000 T=50 
(#66)
How can I know these are Stack Overflow attacks ? Look at the following 
data produced by tcpdump listening on external device:
17:33:18.763388 PPPoE [ses 0x6c1] IP 71: 
host58-95.pool8018.interbusiness.it.radius > dapsys.com.radius: rad-#0 41 
[id 0] Attr[ Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Term_action Term_action 
Term_action Term_action Term_action Term_action Ter
and this is data produced after 1 second !!
Now, I would like to get your help on the following questions:
a) IANA address
As you can see, my system is receiving data from IP address as 
24.73.107.95, 24.129.182.30, 24.132.67.61, 67.104.87.131 , 80.67.162.4, 
219.240.82.100
24.0.0.0/8 is IANA Cable Block
67.0.0.0/8 is IANA Reserved
80.0.0.0/8 is IANA Reserved
219.0.0.0/8 is IANA Reserved
traceroute to 24.73.107.95 (24.73.107.95), 30 hops max, 38 byte packets
1 212.147.11.137 35.478 ms 32.825 ms 34.540 ms
2 212.147.63.69 30.982 ms 34.721 ms 32.531 ms
3 62.156.138.73 32.972 ms 36.202 ms 36.255 ms
4 62.154.5.121 31.253 ms 34.462 ms 31.102 ms
5 62.156.131.134 120.914 ms 120.406 ms 123.939 ms
6 66.185.137.205 120.689 ms 125.349 ms 124.216 ms
7 66.185.141.18 120.648 ms 125.378 ms 127.374 ms
8 66.185.152.201 128.796 ms 131.407 ms 126.678 ms
9 66.185.152.206 123.843 ms 125.346 ms 127.393 ms
24.73.107.9510 66.185.152.28 133.947 ms 138.715 ms 138.934 ms
11 66.185.152.182 143.822 ms 137.208 ms 142.169 ms
12 66.185.152.181 145.552 ms 142.123 ms 155.229 ms
13 66.185.152.244 162.293 ms 156.926 ms 163.841 ms
14 66.185.136.162 160.081 ms 158.651 ms 160.625 ms
15 66.185.136.174 170.167 ms 175.389 ms 168.530 ms
16 * * *
17 * * *
traceroute to 219.240.82.100 (219.240.82.100), 30 hops max, 38 byte 
packets
1 212.147.11.137 34.592 ms 32.609 ms 33.044 ms
2 212.147.63.69 34.409 ms 32.784 ms 31.341 ms
3 62.156.138.73 34.396 ms 31.302 ms 33.045 ms
4 62.154.5.121 32.702 ms 33.020 ms 32.815 ms
5 62.156.131.146 120.685 ms 118.937 ms 120.490 ms
6 207.45.198.69 125.829 ms 123.960 ms 122.168 ms
7 207.45.223.109 125.341 ms 136.149 ms 120.220 ms
8 207.45.220.125 195.069 ms 191.832 ms 191.938 ms
9 66.110.10.2 502.960 ms 526.428 ms 526.462 ms
219.240.82.10010 210.180.97.9 660.385 ms 690.309 ms 678.758 ms
11 211.108.90.2 345.430 ms 347.800 ms 342.420 ms
12 211.117.1.86 345.635 ms 345.589 ms 349.322 ms
13 210.94.20.66 344.070 ms 362.607 ms 364.126 ms
14 * * *
and so one for other systems.
1.How can I determine that this data is coming from an unauthorized IP 
address out of the fact the IP address feels to not be correct ?
2.Is there a way to validate incoming packets based in Ethernet address, 
means the first time we get a packet from an unknowed IP address, using 
DNS or other tools to get the real IP and Ethernet address and to compare 
with the received one ?
b) Defending myself
My Internet system is keep busy receiving data who is immediatly 
rejected. 
1.What do you suggest as actions to tell these people to stop but calling 
FBI about telling them I feel these are Ben Laden sites ? These could be 
a very expeditious solution as I feel them able to send some B52 full of nuts
Many thanks in advance for your help
E. Soriano 
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html