04.203068 MYHOST.ECHO > IRC.SOME.WHERE.65348
07:00:04.203068 myhost.echo > irc.some.where.65348: udp 600
IDIC - SANS GIAC LevelTwo
©2000, 20018
Remember when we learned to draw a link diagram in the traffic analysis section with the Out of Spec traffic? We could surmise that we were probably dealing with two way traffic even though we couldn’t see both sides of the traffic. The simplest explanation for the echo reply packets we see in front of us is that they were stimulated by echo requests. We just don’t see them for some reason. There are several possibilities for this:• Asynchronous routing• Back door connection• Misconfigured switchFrom Stephen Northcutt:“Well, hopefully you are familiar enough with your site that you know how your routing is configured. My CIRT thought “back door” when they saw this. In other words, they thought someone was stimulating my host through an illicit connection to attack IRC. To do this, the attacker might need to use source routing, which isn’t commonly associated with dumb ol bash the IRC server denial of service attacks. A backdoor connection could cause this pattern, but make that your second guess. I will admit though, the first time I saw this pattern, my blood pressure went through the ceiling. These days, I pick up the phone and dial the network operations folks at the site where the sensor is located. This pattern is often caused by poorly configured VLANs in a switched network environment causing the sensor to only see one side of the traffic.”