[lug] route add -host attacks

D. Stimits stimits at idcomm.com
Wed Nov 14 21:54:41 MST 2001


Jeff wrote:
> 
> Dunno.  I'm also on the AT&T network.  I don't seem to have this
> problem.  Just to be sure, I checked my message logs for the following:
> 211.23.141.22
> attackalert
> primatex
> "/sbin/route"
> 
> And came up blank.  Possible hack?  Port 111 is Sun RPC.  Not totally
> sure what that does, but you may want to consider rebuilding the route
> table.  Have you tried route or route -n ?
> What are the results?  Does the below ip show up?  If so you may have a
> problem.  If not...
> 
> $0.02
> Jeff
> 
> Warren Sanders wrote:
> >
> > Anyone know anything about a known virus or other wrappers adding hosts to your
> > route table?  Earlier this week I asked about my corrupt route table but no
> > reply.  I now have found (after hacking away at my machine daily) several
> > entries in my messages log:
> >
> > Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: SYN/Normal scan from
> > host: ms1.primatex.com.tw/211.23.141.22 to TCP port: 111
> > Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: Host 211.23.141.22 has
> > been blocked via wrappers with string: "ALL: 211.23.141.22"
> > Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: Host 211.23.141.22 has
> > been blocked via dropped route using command: "/sbin/route add -host 211.23.1
> > 41.22 gw 127.0.0.1"

I don't use portsentry, but it seems to be a defensive reaction. Port
scans on 111 are common (used for many favorite attacks), but you don't
see the routes as adding these hosts, it appears to be removing them
from routing. There are times I've heard of people with portsentry
finding that it was too aggressive, and blocked something that wasn't
intended to be blocked. If someone finds a way to spoof and get
portsentry to block a machine from too many addresses, you could call
this a denial of service attack. I have no doubt that scans through port
111 are malicious in most cases, but it seems like these log messages
are just portsentry using routing as a defense mechanism. Does anyone
here use portsentry, and can you confirm if portsentry can be configured
to block routes on purpose?

D. Stimits, stimits at idcomm.com

> >
> > I have been getting these since mid October and seems to take a couple weeks to
> > kill your route table.
> >
> > BTW: I'm on the @home network.
> >
> > --
> > Warren Sanders
> > http://MontanaLinux.Org
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
> "Yet they are mistaken, they will be exposed, and they will discover
> what
> others in the past have learned;  Those who make war against the United
> States have chosen their own destruction."
> G. Bush Jr.  Sept '01
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list