Great Circle Associates Firewalls
(March 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Why would someone be banging on port 7?
From: "Paul D. Robertson" <proberts @ clark . net>
Date: Wed, 26 Mar 1997 20:58:38 -0500 (EST)
To: Karl Kraft <karl @ relada . com>
Cc: firewalls-digest @ GreatCircle . COM
In-reply-to: <v03007801af5f58278f91 @ [10 . 4 . 3 . 20]> 
On Wed, 26 Mar 1997, Karl Kraft wrote:

> Lately however, I've been getting about 20-30 rejects per day for different
> hosts connecting to port 7/UDP and from about 4 different hosts, in
> Germany, Austria, and Ukraine.  According to /etc/services, this is the
> echo port, and is usually internal to inetd.

If you spoof an echo request for UDP port 7 from another host on the same 
network, you can effectively flood the network with echos from each host.

Some software has been known to use UDP echo as a 'ping' as well, so it's 
not definitely an attack if you see a valid source address.  If I recall 
correctly, Harvest cache used to do this at one point, it may still be an 
option.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts @
 clark .
 net      which may have no basis whatsoever in fact."
                                                                     PSB#9280
Follow-Ups:
References:
Indexed By Date Previous: ATM firewalling with current firewall products ?? (was: ATM adapter for SUN)
From: chris @ mcc . com (Chris E Creighton)
Next: Re: Linux - Acceptable Business OS?
From: Kevin Brown <kevinbr @ netcomm . ie>
Indexed By Thread Previous: Why would someone be banging on port 7?
From: Karl Kraft <karl @ relada . com>
Next: Re: Why would someone be banging on port 7?
From: Andrew Waddington <awadding @ hookup . net>
Google
 
Search Internet Search www.greatcircle.com