port 888 DoS?
Mike Tatroe
modem has been getting hammered for an hour by udp packets hitting port 888.
Source IP according to iplog and portsentry, was 10.0.0.1. I dropped
both interfaces (eth0 - cable modem, eth1 - LAN) for about half an hour,
and when I brought them back up the attack had stopped.
I'm not running anything on port 888 and I don't see any evidence that I
was compromised. Anyone have an idea of what might have hit me? What/whoever
it was hasn't started up again.
--
"...How amazingly unlikely is your birth,
And pray that there's intelligent life somewhere up in space,
'Cause there's bugger all down here on Earth." --Eric Idle
Anthony Schlemmer
> So, I come home briefly on Saturday and notice that my Linux box on a cable
> modem has been getting hammered for an hour by udp packets hitting port 888.
> Source IP according to iplog and portsentry, was 10.0.0.1. I dropped
> both interfaces (eth0 - cable modem, eth1 - LAN) for about half an hour,
> and when I brought them back up the attack had stopped.
> I'm not running anything on port 888 and I don't see any evidence that I
> was compromised. Anyone have an idea of what might have hit me? What/whoever
> it was hasn't started up again.
IP Addresses in the 10.0.0.0/8 range are reserved and so you normally don't
see them externally expect perhaps when someone is trying to spoof where the
packets are coming from. It's a good ideas to setup some ipchain rules on the
interface your cable modem is connected to to drop incoming packets from the
following IP addresses at the very least:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
127.0.0.0/8
<YOUR_IP_ADDRESS>
I have heard of a few instances where some user has plugged their cable modem
directly into their hub and have had internal systems using reserved IP
addresses which where then exposed publicly on the the cable network.
> --
> "...How amazingly unlikely is your birth,
> And pray that there's intelligent life somewhere up in space,
> 'Cause there's bugger all down here on Earth." --Eric Idle
Tony
--
Anthony Schlemmer
asch...@home.com
k
>IP Addresses in the 10.0.0.0/8 range are reserved and so you normally don't
>see them externally expect perhaps when someone is trying to spoof where the
>packets are coming from. It's a good ideas to setup some ipchain rules on the
>interface your cable modem is connected to to drop incoming packets from the
>following IP addresses at the very least:
<snip>
@home uses the 10.0.0.0/8 netblock for their routers, iirc. i don't know
why they'd be sending packets to his udp port 888 though ..
Richard F. Jr.
accessbuilder 888/tcp AccessBuilder
accessbuilder 888/udp AccessBuilder
# The following entry records an unassigned but widespread use
cddbp 888/tcp CD Database Protocol
# 889-899 Unassigned
The Trojan port list I have has no 888 listed... ?
My .02 $
"Mike Tatroe" <elf...@hotblack.gweep.net> wrote in message
news:95295785...@zarathud.3d.gweep.net...
> So, I come home briefly on Saturday and notice that my Linux box on a
cable
> modem has been getting hammered for an hour by udp packets hitting port
888.
> Source IP according to iplog and portsentry, was 10.0.0.1. I dropped
> both interfaces (eth0 - cable modem, eth1 - LAN) for about half an hour,
> and when I brought them back up the attack had stopped.
> I'm not running anything on port 888 and I don't see any evidence that I
> was compromised. Anyone have an idea of what might have hit me?
What/whoever
> it was hasn't started up again.
>
>
>
Mike Tatroe
AS>IP Addresses in the 10.0.0.0/8 range are reserved and so you normally don't
AS>see them externally expect perhaps when someone is trying to spoof where the
AS>packets are coming from. It's a good ideas to setup some ipchain rules on the
AS>interface your cable modem is connected to to drop incoming packets from the
AS>following IP addresses at the very least:
Yeah, I'm using 10.0.0.1 for eth1. But the LAN was shutdown at the time,
and the UDP hits continued even after I dropped eth1. Portsentry did a
/sbin/ipfwadm -I -i deny -S 10.0.0.1 -o and dropped that IP in
/etc/hosts.deny. I figured the IP was spoofed.
So, I should ipfwadm -I -i deny -S 10.0.0.0/8 -o ? That shouldn't affect
my LAN at all, should it?
Lee Sharp
|So, I come home briefly on Saturday and notice that my Linux box on a cable
|modem has been getting hammered for an hour by udp packets hitting port
888.
|Source IP according to iplog and portsentry, was 10.0.0.1. I dropped
|both interfaces (eth0 - cable modem, eth1 - LAN) for about half an hour,
|and when I brought them back up the attack had stopped.
|I'm not running anything on port 888 and I don't see any evidence that I
|was compromised. Anyone have an idea of what might have hit me?
What/whoever
|it was hasn't started up again.
According to IANA, it is AccessBuilder, which may be a 3com protocol. If
so, it could be mistake, or someone trying to hack your router. <badly> :-)
Lee
--
SCSI is *NOT* magic. There are *fundamental technical reasons* why it is
necessary to sacrifice a young goat to your SCSI chain now and then. * Guns
are no more responsible for killing people than spoons are responsible for
making Rosie O'Donnell and Oprah Winfrey fat - I am speaking as an
individual, not as a representative of any company, organization or other
entity. I am solely responsible for my words.
Mike
k
>Yeah, I'm using 10.0.0.1 for eth1. But the LAN was shutdown at the time,
>and the UDP hits continued even after I dropped eth1. Portsentry did a
>/sbin/ipfwadm -I -i deny -S 10.0.0.1 -o and dropped that IP in
>/etc/hosts.deny. I figured the IP was spoofed.
>So, I should ipfwadm -I -i deny -S 10.0.0.0/8 -o ? That shouldn't affect
>my LAN at all, should it?
didn't you just say you're using 10.0.0.1? :) won't blocking that off
mean that you can't use it?
Anthony Schlemmer
system anymore. Since you have two NICs I suggest you block addresses
in the 10.0.0.0/8 range from coming on on whatever interface your cable
modem is connected to (eth0). That still leaves eth1 OK to accept packets from
your private network. Drawing on my poor memory I think you could use the -V
flag and specify the IP address of your cable modem interface to set that up:
ipfwadm -I -i deny -V <IP_OF_CABLE_MODEM_INTERFACE> -S 10.0.0.0/8
Mike Tatroe <elf...@hotblack.gweep.net> wrote:
> Anthony Schlemmer spewed forth:
> AS>IP Addresses in the 10.0.0.0/8 range are reserved and so you normally don't
> AS>see them externally expect perhaps when someone is trying to spoof where the
> AS>packets are coming from. It's a good ideas to setup some ipchain rules on the
> AS>interface your cable modem is connected to to drop incoming packets from the
> AS>following IP addresses at the very least:
> Yeah, I'm using 10.0.0.1 for eth1. But the LAN was shutdown at the time,
> and the UDP hits continued even after I dropped eth1. Portsentry did a
> /sbin/ipfwadm -I -i deny -S 10.0.0.1 -o and dropped that IP in
> /etc/hosts.deny. I figured the IP was spoofed.
> So, I should ipfwadm -I -i deny -S 10.0.0.0/8 -o ? That shouldn't affect
> my LAN at all, should it?
> --
> "...How amazingly unlikely is your birth,
> And pray that there's intelligent life somewhere up in space,
> 'Cause there's bugger all down here on Earth." --Eric Idle
--
Anthony Schlemmer
asch...@home.com
Mike Tatroe
RFJ># The following entry records an unassigned but widespread use
RFJ>cddbp 888/tcp CD Database Protocol
RFJ># 889-899 Unassigned
Now that's interesting. I knew about the accessbuilder, but I didn't
know about cddbp. I use xmcd, which uses cddb. It wasn't running
at the time though. And they were UDP packets, not TCP packets.
Maybe there's a connection. At any rate, thanks for all the help folx.