[Snort-sigs] smoothwall box being used for a DoS attack??

Walter Pouwels wally at ...246...
Tue Jan 8 14:25:04 EST 2002


Smoothwall or rather SNORT has alerted me that a 'user' has been trying to 
use my smoothwall box for a DoS attack
SNORT alert:
--------------------
Date: 01/01 17:53:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 1.173.215.130:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:44 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.223.252:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:44 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.223.253:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:45 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.0:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:54 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.98:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:54 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.99:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:54 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.100:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:58:58 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.125:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:06 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.204:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:06 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.207:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:06 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.208:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:06 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.210:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.211:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.212:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.213:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.214:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.215:n/a -> 64.0.64.6:n/a
References: none found

Date: 01/01 17:59:07 Name: spp_frag2: Oversized fragment, probable DoS
Priority: n/a Type: n/a
IP info: 0.64.224.216:n/a -> 64.0.64.6:n/a
References: none found
--------------------

It looks to me (am not a security wizz but am trying to read several books 
on the subject) that my smoothwall box is being used as a deflector shield 
from which the attack is bounced onto the target host.
Am I right and if so what can I do about this bouncing off off my 
smoothwall machine ??
I kinda hate it to get a phone call from my ISP complaining that I am 
actually issueing a DoS attack.
Kind regards,
Walter Pouwels
Smoothwall newbie, linux enthusiast for over 5 years.



_______________________________________________

A)bort, R)etry, I)gnore, V)alium?
_______________________________________________





More information about the Snort-sigs mailing list