[LINK] DOS attacks for 24 hours

Craig Sanders cas at taz.net.au
Sat Jun 16 13:24:06 AEST 2012 

On Sat, Jun 16, 2012 at 12:41:38PM +1000, Jan Whitaker wrote:

> Note the point about 'any typical DoS attack evidence', when the 
> router itself is reporting that they are DOS attacks.

your router is "reporting" that because once upon a time there was a
known attack against Cisco's Unified Call Manager which involved sending
a malformed packet to UDP port 8500. this was known about and fixed in
2007.

the URL someone else posted mentions this.

http://www.speedguide.net/port.php?port=8500

*** THIS DOES NOT MEAN THAT ALL PACKETS DESTINED FOR UDP 8500 ARE PART
OF A DENIAL OF SERVICE ATTACK ***

in short, your router's "report" is full of shit - making a definitive
statement about something that is only a possibility. and a remote,
unlikely possibility at that...that would only affect you if you
happeneed to be running an ancient piece of cisco telephony gear that
happened to still be vulnerable to an exploit that was patched over 5
years ago.

this highlights a fundamental problem with reporting things to people
who don't know how to interpret them: they are extremely likely to
misinterpret them.




unless the volume of packets is sufficient to significantly affect your
internet connection (e.g. download speed) or is causing problems for
the machine which ends up receiving the udp:8500 packets then the only
thing worth doing is:

1. (optional) block incoming traffic to udp port 8500 on your router
2. ignore it and get on with your life.


any computer connected to the internet will get a continuous stream of
strange and unusual packets, mostly probes from script kiddies and bots
looking for vulnerabilities and some just random weird misaddressed
crap.  THIS IS NOT AT ALL UNUSUAL. it is constant.

try, for example, running tcpdump or similar to monitor your internet
connection while all machines behind your router/firewall are turned
off.  You will see a non-stop series of packets destined for pretty
nearly every port including udp & tcp 0-65535, icmp and all other
protocols. of course, some protocols and ports are more likely to be
deliberately targeted than others - because they're the ports that are
in most common usage for particular tasks and/or because there is or was
a known vulnerability in some specifc (version of) software or hardware,
not because there's something magically bad or unsafe about them.

unless these packets are adversely affecting your connection or your
computers, just follow the two steps above: optionally block, and
ignore.




> Granted, my modem sometimes does send aberrant alerts when I get an 
> incoming phone call. 

it does this because the programming is stupid - probably something
cretinously useless like whinging about packets for specific ports
regardless of context.

particular port numbers aren't magically bad or good.  EVERY port number
has countless legitimate uses (whether they are the "standard" or
"conventional" use for that port or not) as well as the potential for
misuse.


> But in these cases, it happened over a period of 
> time with no phone calls whatsoever. Plus they happen over a period 
> of several minutes, from the same sources.

as noted above, this is completely normal for any internet connection.

it's only a cause for concern if you have something listening to and
responding to those specific packets - e.g. a legit program which could
be compromised by malformed/malicious packets, or a virus or other malware
listening for command and control packets.




> I did change my modem password as a precaution. Thanks to linkers for
> replies.

securing your router by doing things like changing the default password
and allowing admin access only from the LAN port (and not from the
internet) is *always* a good idea.  it's a good start, anyway.

craig

-- 
craig sanders <cas at taz.net.au>

BOFH excuse #434:

Please state the nature of the technical emergency

More information about the Link mailing list