Preface: Snork attackLogo -Internet Security Systems

Snork attack
advICE :Intrusions : 2000203
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Denial of Service overload attempt.

Details

A UDP frame with destination of 135 (Microsoft Location Service), and source of 7 (Echo), 19 (Chargen), or 135 has been seen. This is an attempt to connect two services which, if enabled, will engage in an indefinite communication with each other. This will cause many frames to be unnecessarily transmitted, and dramatically reduce the performance of the network and the systems involved.

Defense

Patch the system in order to fix the problem with the Microsoft Location Service at port 135. Information can be obtained from Microsoft's site below.

Spoofing

This attack is always spoofed.

Trigger

tcp.dst=135 && tcp.src={7,19,135}

 more information
Microsoft Advisory  
 
Bugtraq: Snork exploit  
 
advICE: spoofing  
This is an example of an attack that uses spoofing in order to be carried out.  
CVE-1999-0969   snork
 
MS Bulletin: MS98-014   Update available for RPC Spoofing Denial of Service on Windows NT
 
q193233   Rpcss.exe Consumes 100% CPU Due to RPC Spoofing Attack
 
X-Force: 1372   snork-dos
 

 parametric information
dstportThe UDP destination port.
srcportThe UDP source port.

 
Version appeared:
Privacy Policy |  Copyright Info