linux security - Jun 1999 - Port 7 scan

Over the last several day, we''ve been getting pretty regular scans from
a
non-existant host on our port 7. Any idea what they are looking for/what are
some of vulnerabilites with echo?

Thanks

Coral Cook

How do you know the host is non-existent?  Have you confirmed that you they
are spoofing?  What does the scan look like?  Is it a stealth scan with a
single packet or something more robust? If you find that they are spoofing,
then the only thing that they could be trying to accomplish is what I call a
"Human Denial of Service (HDOS)".  They are trying to drive you crazy,
searching for a vulnerability that doesn't exist.  It is so easy to spit
garbage into other peoples systems that it isn't funny.  I am interesting in
knowing if you find something other than the so called HDOS attack.

The ultimate solution to the spoof problem is to implement something called
"Network Ingress Filtering".  Look it up with your favorite search
engine.
I think there may be an RFC on it.


Carlton Copp
> -----Original Message-----
> From:	EW1 Coral J. Cook [SMTP:ccook@nosc.mil]
> Sent:	Wednesday, June 09, 1999 11:18 AM
> To:	linux-security@redhat.com
> Subject:	[linux-security] Port 7 scan
> 
> Over the last several day, we've been getting pretty regular scans from
a
> non-existant host on our port 7. Any idea what they are looking for/what
> are
> some of vulnerabilites with echo?
> 
> Thanks
> 
> Coral Cook
> 
> -- 
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
> 
> To unsubscribe:
>   mail -s unsubscribe linux-security-request@redhat.com < /dev/null

> Over the last several day, we've been getting pretty regular scans from
a
> non-existant host on our port 7. Any idea what they are looking for/what
are
> some of vulnerabilites with echo?
Hi, Coral.  The problem is described at
http://www.netcraft.com/presentations/interop/dos.html:

   A stereotypical attack would involve sending a udp packet to the
   chargen port on a host with the packet's source port set to echo, and
   the source address set to localhost, broadcast, or the address of
   another host on the internet known to offer udp echo. Other udp
   services such as daytime (port 13) and time (port 37) might also be
   used as a basis for the attack.

Just comment out any unused services from your inetd.conf, send inetd
SIGHUP, and you should be fine.
__
Trevor Johnson

Juha,

The "scans" you are seeing are in response to a DNS lookup being
initiated
from your site for ad.doubleclick.net. More then likely it is a web
browser some were in your site, or more then likely many that initiate the
lookup. The content that the browser is requesting is available from many
sites of DoubleClicks at many different locations on the Internet. The
connect back to your DNS server is to find which of these sites is best
for you in terms of latency. This information, along with the current load
on the servers at each site is used to determine which IP to return to you
so that you go to the fastest site. The "scans" will not happen with
out a
request from your side. The information that is received is cached for a
period and reused to reduce the total amount of connections. In most
situations the group of connections back to your machine will be utilized
by many out bound requests from your end.

Hope this clears up your questions, drop me an email if not.

rich

	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	Richard Day   Technical Support Manager

	Resonate, Inc.
	385 Moffett Park Drive
	Suite 205
	Sunnyvale, CA 94089

	Main         408 548.5500
	Direct 	     408 548.5648
	Fax 	     408 548.5679
	Support      408 548.5600
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Thu, 10 Jun 1999, Juha Virtanen wrote:
> From: EW1 Coral J. Cook <ccook@nosc.mil> 9.6.1999 21:10:
> 
> 
> >Over the last several day, we've been getting pretty regular scans
from a
> >non-existant host on our port 7. Any idea what they are looking
for/what are
> >some of vulnerabilites with echo?
> 
> 
> I've seen the same and I issued incident tickets on major US service
> providers.
> 
> I got the following information quoted below:
> 
> > From: Ng, Alex [SMTP:ang@doubleclick.net]
> > Sent: Monday, June 07, 1999 11:05 AM
> > Subject: RE: Probable attack from your domain
> >
> > Dear Sir,
> >
> >  We are currently using the product GlobalDispatch from Resonate Inc.
> > for our Wide Area
> > Data Distribution.  Please see letter below for a detail explaination
on
> > this product.  Thanks.
> >
> > Sincerely,
> >
> > Alex Ng
> >
> >
> > --------------------
> >
> > Hello Sir,
> >
> > Alex at Doubleclick asked us to work with you regarding this ticket.
> >
> > We have reason to believe that the reports you've received
regarding
> > these three machines being compromised is a misunderstanding as a
result
> > of our enterprise traffic management software: Global Dispatch. 
Global
> > Dispatch is a WAN-based scheduler that makes it easy to place content
> > close to geographically dispersed users and and intelligently directs
> > requests
> > to the best-suited Point of Presence (POP).
> >
> > In the course of determining the best suited POP, Global Dispatch
preforms
> > a
> > latency measurement.  This latency measurement is done by making a
> > connection
> > to the client DNS server on TCP port 7 and then dropping the
connection.
> > After
> > the latency measurement has been done, the latency values are cached,
and
> > the
> > IP of the most responsive POP is returned to the requesting machine.
> >
> > I hope this help clear up the confusion. We are looking into other
ways to
> > preform this latency mesurment, and hope we have not caused you any
> > inconvenience.
> >
> > --
> > Resonate Technical Support <support@resonate.com>
> >
> >
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >  Richard Day Call Center Manager
> >
> >  Resonate, Inc.
> >  465 Fairchild Drive
> >  Suite 115
> >  Mountain View, CA 94040
> >
> >  Main Phone   650 967.6500
> >  Fax       650 967.6561
> >  Support Line 650 967.4800
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> 
> 
> Regards,
> Juha
> 
> 
>