QUICK GUIDE ON READING PACKET TRACES:
-------------------------------------

All example logs use 10.0.0.1 as the attacker address, 127.0.0.1 as the target address.


Firewall log EXAMPLE packet traces:
-----------------------------------
Apr 2 01:36:45 gate /kernel: ipfw: 20 Count ICMP:0.0 10.0.0.1 127.0.0.1 in via dc1
Apr 2 12:41:00 gate /kernel: ipfw: 20 Count P:2 10.0.0.1 127.0.0.1 in via dc1 (frag 51265:1480@2960+)
Apr 2 18:59:21 gate /kernel: ipfw: 20 Count UDP 10.0.0.1 127.0.0.1 in via dc1 (frag 38706:1480@1480+)

Packet traces here show some different DOS attacks: ICMP:0.0 is ICMP traffic, P:2 is IGMP traffic, and UDP is udp traffic.  All of these can show up as normal or fragmented packets.  The log is in the order of `date, gate /kernel: ipfw:, ipfw number, then the packet trace itself.

Typically these are from machines that have a trojan installed on them and are being used for DOS / DDOS attacks.


Firewall log EXAMPLE packet trace for SNORT IDS:
------------------------------------------------
Apr 2 07:17:00 gate snort: [1:221:1] DDOS TFN Probe [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.1 -> 127.0.0.1

These logs include IDS numbers (the middle number in the form [1:221:1]) -- here the IDS number is 221.  You can get more information about this attack from the website http://www.snort.org/snort-db/ and type in the number in the "View by SID:" area.


tcpdump example traces:
-----------------------
15:34:01.554449 10.0.0.1.2100 > 127.0.0.1.1434: udp 376
15:34:20.190256 10.0.0.1.4407 > 127.0.0.1.1434: udp 376

These packet traces show the time and sequence number, the source address > target address (and ports) and the packet types.  In this case, these show udp packets contacting a microsoft SQL server (notably CERT Advisory CA-2003-04 MS-SQL Server Worm).

Other packets will show different options, such as "S" for tcp SYN floods, etc.



Please take all attacks originating from your network seriously.

--
Eric Thern
Zoidial Incorporated
eric@zoidial.com