LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-13-2005, 07:56 AM   #1
zapotek
LQ Newbie
 
Registered: Jun 2004
Distribution: PCLinuxOS
Posts: 16

Rep: Reputation: 0
Iptraf igmp - hack?


Hi! I have a big problem with some big IGMP traffic from some 10.100.177.2 ip adress...
I'm a newbie, I use mepis 3.3 as a workstation.
I don't know how to interpret this stuff.
I've put some screenshots here:
http://www.xtrempc.ro/forum/viewtopic.php?t=37611

#whois 10.100.177.2

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
----------------------------------------------------------------------------------

Is somebody trying to hack me?

Last edited by zapotek; 04-13-2005 at 03:32 PM.
 
Old 04-13-2005, 11:29 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
10.0.0.0/8 is one of the IANA IP blocks reserved for private use and either has to originate locally (on your network) or very nearby, as packets with that source address shouldn't be forwarded by routers on the internet. It might help if you captured some of the packets with tcpdump -x -v igmp

There was a recent kernel igmp DoS vulnerability, but it's hard to tell if this is malicious without more info.
 
Old 04-14-2005, 09:37 PM   #3
zapotek
LQ Newbie
 
Registered: Jun 2004
Distribution: PCLinuxOS
Posts: 16

Original Poster
Rep: Reputation: 0
This time, i don't have such a big traffic (1000kbits/sec) but this is the answer after ~10 minutes of listening:

# tcpdump -x -v igmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
04:58:22.936024 IP (tos 0x0, ttl 1, id 23051, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2
0x0000: 4500 001c 5a0b 0000 0102 c46d 0a64 b102 E...Z......m.d..
0x0010: e000 0001 1164 ee9b 0000 0000 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
04:58:26.664206 IP (tos 0x0, ttl 1, id 23054, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]
0x0000: 4500 001c 5a0e 0000 0102 c46a 0a64 b102 E...Z......j.d..
0x0010: e000 0001 1164 fea0 efff fffa 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
05:00:27.959303 IP (tos 0x0, ttl 1, id 23138, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2
0x0000: 4500 001c 5a62 0000 0102 c416 0a64 b102 E...Zb.......d..
0x0010: e000 0001 1164 ee9b 0000 0000 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
05:02:32.984690 IP (tos 0x0, ttl 1, id 23208, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2
0x0000: 4500 001c 5aa8 0000 0102 c3d0 0a64 b102 E...Z........d..
0x0010: e000 0001 1164 ee9b 0000 0000 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
05:04:38.009942 IP (tos 0x0, ttl 1, id 23267, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2
0x0000: 4500 001c 5ae3 0000 0102 c395 0a64 b102 E...Z........d..
0x0010: e000 0001 1164 ee9b 0000 0000 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
05:06:43.037914 IP (tos 0x0, ttl 1, id 23318, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2
0x0000: 4500 001c 5b16 0000 0102 c362 0a64 b102 E...[......b.d..
0x0010: e000 0001 1164 ee9b 0000 0000 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
05:08:48.060251 IP (tos 0x0, ttl 1, id 23478, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2
0x0000: 4500 001c 5bb6 0000 0102 c2c2 0a64 b102 E...[........d..
0x0010: e000 0001 1164 ee9b 0000 0000 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............
05:09:17.558617 IP (tos 0x0, ttl 1, id 23500, offset 0, flags [none], length:28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]
0x0000: 4500 001c 5bcc 0000 0102 c2ac 0a64 b102 E...[........d..
0x0010: e000 0001 1164 fea0 efff fffa 0000 0000 .....d..........
0x0020: 0000 0000 0000 0000 0000 0000 0000 ..............

Last edited by zapotek; 04-14-2005 at 09:42 PM.
 
Old 04-15-2005, 12:06 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Sorry, gave you the wrong tcpdump options, use tcpdump -e -v igmp. That will give you a MAC hardware address, The IGMP v2 requests are set with a ttl of 1, meaning they can only go 1 hop, so the system in question is on your network or very nearby. Once you get a MAC address you can try tracking it down that way. The traffic you logged looks like a misconfigured system making igmp queries on a non-multicast network, however 1M per second certainly isn't normal. Once you identify the system, you should absolutely take it offline and look around for IGMP flooding tools or other evidence that it was compromised.
 
Old 04-15-2005, 12:45 PM   #5
zapotek
LQ Newbie
 
Registered: Jun 2004
Distribution: PCLinuxOS
Posts: 16

Original Poster
Rep: Reputation: 0
The answer is something like this! But the log more bigger!
As you see, the incoming igmp pachets are very frequent. The listenig was longer (3-6seconds) but this is just a fraction of a second:

#tcpdump -e -v igmp

20:33:07.212292 00:00:ca:26:c7:00 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800),length 60: IP (tos 0x0, ttl 1, id 21296, offset 0, flags [none], length: 28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]
20:33:07.212667 00:00:ca:26:c7:00 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800),length 60: IP (tos 0x0, ttl 1, id 21297, offset 0, flags [none], length: 28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]
20:33:07.213042 00:00:ca:26:c7:00 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800),length 60: IP (tos 0x0, ttl 1, id 21298, offset 0, flags [none], length: 28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]
20:33:07.213417 00:00:ca:26:c7:00 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800),length 60: IP (tos 0x0, ttl 1, id 21299, offset 0, flags [none], length: 28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]
20:33:07.213793 00:00:ca:26:c7:00 > 01:00:5e:00:00:01, ethertype IPv4 (0x0800),length 60: IP (tos 0x0, ttl 1, id 21300, offset 0, flags [none], length: 28) 10.100.177.2 > ALL-SYSTEMS.MCAST.NET: igmp query v2 [gaddr 239.255.255.250]

12968 packets captured
12981 packets received by filter

Last edited by zapotek; 04-17-2005 at 02:18 AM.
 
Old 04-15-2005, 07:10 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
00:00:ca:26:c7:00 <--this is the source MAC address, which belongs to an Arris/Applitek NIC. Once you identify that system, make sure to take it offline and do a thorough analysis to see if it was compromised.
 
Old 04-16-2005, 02:08 AM   #7
zapotek
LQ Newbie
 
Registered: Jun 2004
Distribution: PCLinuxOS
Posts: 16

Original Poster
Rep: Reputation: 0
Like I said, I'm a newbie in linux... when you was saying "once you identify that system, make sure to take it offline" this sound for me like an illegal way to resolve things. I'm sure you wouldn't say that!
I'm not a native English speaker, so I can understand a lot of things!
Please excuse me if I'm getting annoying for you. I need a step by step explanation here.
I used Ethereal to analyze those packets from resulted mac address. I don't know if this is what i'm looking for...

------------------------------------------------------------------------------------------
No. Time Source Destination Protocol Info
1 0.000000 10.100.177.2 224.0.0.1 IGMP V2 Membership Query

Frame 1 (60 bytes on wire, 60 bytes captured)
Arrival Time: Apr 17, 2005 13:25:23.408944000
Time delta from previous packet: 0.000000000 seconds
Time since reference or first frame: 0.000000000 seconds
Frame Number: 1
Packet Length: 60 bytes
Capture Length: 60 bytes
Protocols in frame: eth:ip:igmp
Ethernet II, Src: 00:00:ca:26:c7:00, Dst: 01:00:5e:00:00:01
Destination: 01:00:5e:00:00:01 (01:00:5e:00:00:01)
Source: 00:00:ca:26:c7:00 (ArrisInt_26:c7:00)
Type: IP (0x0800)
Trailer: 000000000000000000000000000000000000
Internet Protocol, Src Addr: 10.100.177.2 (10.100.177.2), Dst Addr: 224.0.0.1 (224.0.0.1)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 28
Identification: 0xfc00 (64512)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 1
Protocol: IGMP (0x02)
Header checksum: 0x2278 (correct)
Source: 10.100.177.2 (10.100.177.2)
Destination: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
IGMP Version: 2
Type: Membership Query (0x11)
Max Response Time: 10.0 sec (0x64)
Header checksum: 0xfea0 (correct)
Multicast Address: 239.255.255.250 (239.255.255.250)

0000 01 00 5e 00 00 01 00 00 ca 26 c7 00 08 00 45 00 ..^......&....E.
0010 00 1c fc 00 00 00 01 02 22 78 0a 64 b1 02 e0 00 ........"x.d....
0020 00 01 11 64 fe a0 ef ff ff fa 00 00 00 00 00 00 ...d............
0030 00 00 00 00 00 00 00 00 00 00 00 00 ............
------------------------------------------------------------------------------------------

I hope this information isn't redundant!
And once again, tank you very much for you help and sorry for trouble.

Last edited by zapotek; 04-17-2005 at 10:35 AM.
 
Old 04-16-2005, 06:30 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Like I said, I'm a newbie in linux... when you was saying "once you identify that system, make sure to take it offline" this sound for me like an illegal way to resolve things. I'm sure you wouldn't say that!
No, I'm not suggesting anything malicious or illegal at all. I was just assuming that you would be the owner/administrator of that system or would be able to contact the owner. This traffic should not be able to transfer long distances across the internet and would need to originate locally. There are 2 reasons for why:
  • The source IP address is in the IANA reserved IP range, so they will not be forwarded by routers on the internet.
  • These IGMP packets are sent with a ttl (time-to-live) value of 1, so when a router receives this packet it will not forward it.
Therefore these packets are coming from a system on your network or very nearby. Are you on a network? Do you connect to the internet by cable, DSL, dialup?

Please excuse me if I'm getting annoying for you. I need a step by step explanation here.
No problem, if you have any questions or are confused about something then feel free to ask.

I used Ethereal to analyze those packets from resulted mac address. I don't know if this is what i'm looking for...
This is the information that we are looking for:

Source: 00:00:ca:26:c7:00 (ArrisInt_26:c7:00)

That is the hardware MAC address of the system sending the traffic. Start by checking the MAC address of your system. If you run the ifconfig command it will display the MAC address of the network card in your computer:
Code:
[root@localhost ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0D:61:7C:20:EC  <---this is the MAC address
          inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:51ff:fe7e:85fe/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
On a system running windows, use the ipconfig command to show the same output. So if you are on a network with multiple systems, you will need to find the MAC of each system and see which one has the MAC address 00:00:ca:26:c7:00.

Last edited by Capt_Caveman; 04-16-2005 at 06:33 AM.
 
Old 04-16-2005, 04:22 PM   #9
zapotek
LQ Newbie
 
Registered: Jun 2004
Distribution: PCLinuxOS
Posts: 16

Original Poster
Rep: Reputation: 0
I don't have a network, but the computer is connected to the internet by cable... which means, I guess, that I'm in a big network. So, in this case the only thing that I can do is to contact my ISP and offer all the information about IGMP traffic, ip address, & mac.
I hope this information will help them to find out who is behind this huge traffic. And if the system is miss configured to help the owner of that computer to resolve the problem.
Tank you very much for your help!
Have a great day!

Last edited by zapotek; 04-16-2005 at 04:23 PM.
 
Old 04-16-2005, 09:01 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Because you're on a shared service like cable, then it's very likely someone on your local cable segment (probably one of your neighbors even). In that case, the best option is indeed to notify your ISP and send them all the relevent logs and info. If someone is sending that much traffic they'll probably want to know, especially since it will actually degrade overall network performance of those on your segment. It's also probably a good idea to blacklist that IP completely:

iptables -I INPUT -s 10.100.177.2 -j DROP
iptables -I INPUT -m --mac-source 00:00:ca:26:c7:00 -j DROP

Good luck!

Last edited by Capt_Caveman; 04-16-2005 at 09:05 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do you upgrade IGMP? mijohnst Linux - Newbie 11 10-06-2005 02:13 PM
iptraf Ornery_Boy Linux - Software 2 07-22-2005 03:49 PM
any improved version of iptraf or any other utility like iptraf..? shahg_shahg Linux - Networking 1 03-07-2005 12:58 AM
iptraf drenal Linux - Software 2 02-07-2004 04:57 PM
IpTraf Problem orko Linux - Networking 0 12-01-2003 09:38 AM


All times are GMT -5. The time now is 01:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration