[Gllug] Analysing worm traffic
Doug Winter
doug at pigeonhold.com
Mon Sep 29 18:56:39 UTC 2003
On Mon 29 Sep Simon Wilcox wrote:
> I'd like to know how much of my bandwidth these attacks are using. Does
> anyone know how big an attack exchange is ?
I guess it's going to be a single SYN packet, possibly followed by an
ICMP port unreachable. My (poor) arithmetic would make that a maximum
of:
28 bytes for the TCP header of the initial packet
24 bytes for the IP header of the initial packet
24 bytes for the IP header of the unreachable message
8 bytes for the unreachable message
24 bytes for the enclosed ip header in the unreachable message
8 bytes for the enclosed tcp header fragment in the unreachable
===
116 bytes
You had 9,125 attempts on saturday, so that's:
9125 * 116 = 1058500 bytes in 24 hours
= 0.096 Kbps
If you don't respond with port unreachables (because you are filtering
and have chosen not to) then it will only be 52 bytes per attempt.
If tcp port 135 is listening, but the system is not vulnerable, there's
going to be an RPC exchange, with an attempt to exploit the buffer
overflow. That will be larger - but obviously that's not your
situation.
doug.
--
6973E2CF print 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF
"If you are the type of person who likes assault weapons, there
is a place for you - the United States Army. We have them."
-- General Wesley Clark, responding to a question on gun control
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20030929/ad9b4758/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list