Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-06-01 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 16191 fragment update, mail server dictionary attack, top 10 signs that you are infected

Published: 2004-06-01
Last Updated: 2004-06-02 00:12:16 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Port 16191 Fragment Update

James Fields alerted us to the following advice provided by Cisco to
avoid the "Port 16191 Fragmentation" issue. He forwarded the following
quote from a Cisco engineer:

"To avoid this problem try changing the FragmentReassembly settings ( try increasing 'IPReassembleMaxFrags' ). You will probably also need to change the 'FragmentThreshold' settings for these signatures."

mail server dictionary attacks

While not new, the number of reported dictionary attacks against mail servers
is up. These attacks are characterized by spam being sent to random users at a particular domain. The amount of inbound mail may in itself cause some mail
servers to die or slow down to a crawl. If the mail server sends bounce notices for unavailable accounts, they frequently are directed to invalid email addresses and causing another bounce in reply (which will end up in the postmaster's inbox if the mail server is configured correctly).

This issue has been discussed over the last few days at one of our mailing lists: http://lists.sans.org/pipermail/list/2004-May/031574.php .

There are a number of possible defenses against these attacks. Turning off
"mailbox not available" notices may be one method, but it will also prevent
such notices to valid e-mail senders who typed an e-mail address incorrectly.

Rate limiting traffic to mail servers on a per-IP basis is a simple solution for most firewalls.

If you are using software like spamassassin, you may want to consider delivering e-mail to its 'learn' feature for some of the most popular
spam recipients.

Tom Liston, one of our ISC handlers, recorded the frequency of userids
used in e-mail sent to an unused domain: http://isc.sans.org/presentations/spam_scan.txt
Top 10 Signs that you are infected

It is usually quite hard to find out if a system is "clean" or "compromised".
Quite frequently, we are confronted with users that blame regular odd OS
crashes on an infection, while on the other hand it takes others months to figure out that they are 0wn3d. This list is NOT intended as a final
version, but more as a request for comment.

The first 5 signs are more intended for home users, while the second set
requires some instrumentation (IDS/Firewall).

(1) Your system shuts down spontaneously frequently, even if you don't use it.

(2) Your internet connection slows to a crawl even while you are not doing anything significant.

(3) Your Virus scanner crashes and can not be started again.

(4) You are no longer able to visit Anti Virus sites.

(5) Your hard disk fills up and you can't find the files that use up all the disk space.
(6) Your system all for sudden attempts to connect to random IRC servers.

(7) Your mail server is extremely busy processing outbound mail.

(8) nightly incremental backups are all for sudden much larger then usual.

(9) New user accounts show up and nobody knows who added them.

(10) A given server (web/ftp/mail) keeps crashing for no apparent reason.


----

Johannes Ullrich, jullrich_AT_sans.org
Keywords:
0 comment(s)
Diary Archives