General discussion

  • Creator
    Topic
  • #2297047

    DS Packets Flooding the Network

    Locked

    by baadil ·

    Hi,

    On my network I have a few Win2K Pro machines flooding the network with packets going to the DC. I am attaching a couple of packets captured with sniffer. Mainly, I see a packet of CIFS/SMB tpye which contains only a few bytes of actual data and rest is all padding. Then after that, I see 10-11 packets which have even less data and more padding. These additional packets show that they are SMB continuation of the first frame. This continues on and keeps flooding the network.

    Could someone please help me find out what these packets are all about and how do I get rid of them?
    Thank you.

    Frame Status Source
    Destination
    Bytes Rel
    Delta Time Abs time Summary
    ——————————————————-
    1 M [192.168.5.2] [192.168.20.3]
    1514 0:00
    0.000.000 11/03/2003 05:41:47 PM CIFS/SMB: C Write AndX H=C017
    Bytes=16580, Start
    DLC: —– DLC Header —–
    DLC:
    DLC: Frame 1 arrived at 17:41:47.0858; frame size is 1514 (05EA
    hex) bytes.
    DLC: Destination = Station BellSy4515BE
    DLC: Source = Station 333802A2D98D
    DLC: Ethertype = 0800 (IP)
    DLC:
    IP: —– IP Header —–
    IP:
    IP: Version = 4, header length = 20 bytes
    IP: Type of service = 00
    IP:000. …. = routine
    IP:…0 …. = normal delay
    IP:…. 0… = normal throughput
    IP:…. .0.. = normal reliability
    IP:…. ..0. = ECT bit – transport protocol will ignore the
    CE bit
    IP:…. …0 = CE bit – no congestion
    IP: Total length= 1500 bytes
    IP: Identification = 30871
    IP: Flags = 4X
    IP:.1.. …. = don’t fragment
    IP:..0. …. = last fragment
    IP: Fragment offset = 0 bytes
    IP: Time to live= 128 seconds/hops
    IP: Protocol= 6 (TCP)
    IP: Header checksum = 272E (correct)
    IP: Source address = [192.168.5.2]
    IP: Destination address = [192.168.20.3]
    IP: No options
    IP:
    (More of Packet in comments)

All Comments

  • Author
    Replies
    • #2685342

      Reply To: DS Packets Flooding the Network

      by baadil ·

      In reply to DS Packets Flooding the Network

      TCP: —– TCP header —–
      TCP:
      TCP: Source port = 3832
      TCP: Destination port= 445 (Microsoft-DS)
      TCP: Sequence number = 1895855554
      TCP: Next expected Seq number= 1895857014
      TCP: Acknowledgment number = 1073668041
      TCP: Data offset = 20 bytes
      TCP: Reserved Bits: Reserved for Future Use (Not shown in the Hex
      Dump)
      TCP: Flags = 10
      TCP:..0. …. = (No urgent pointer)
      TCP:…1 …. = Acknowledgment
      TCP:…. 0… = (No push)
      TCP:…. .0.. = (No reset)
      TCP:…. ..0. = (No SYN)
      TCP:…. …0 = (No FIN)
      TCP: Window = 63373
      TCP: Checksum= 9CCB (correct)
      TCP: Urgent pointer = 0
      TCP: No TCP options
      TCP: [1460 Bytes of data]
      TCP:
      SMBTCP: —– CIFS TCP Transport header —–
      SMBTCP:
      SMBTCP: Reserved (MBZ)= 0
      SMBTCP: SMB Packet Length= 16644
      SMBTCP:
      SMB: Vector Offset LengthFrame
      SMB: ———————————-
      SMB:0 0x003A 14561
      SMB:1 0x003A 14562
      SMB: ———————————-

      SMB: 2912 bytes of re-assembled data.
      SMB:
      SMB: —– SMB (CIFS) Write AndX Command header —–
      SMB:
      SMB: SMB Constant
      SMB: Command= 2F (Write AndX)
      SMB: Reserved = 0
      SMB: Flags = 18
      SMB: 0… …. = Client Command
      SMB: ..0. …. = No Opportunistic file Locking
      SMB: …1 …. = Pathnames are already in canonicalized format
      SMB: …. 1… = Pathnames should be treated as caseless
      SMB: …. ..0. = Send.No.Ack can not be used as a response
      SMB: …. …0 = Doesn’t support Lock&Read, Write&Unlock
      SMB: Flags2 = C807

    • #2685341

      Reply To: DS Packets Flooding the Network

      by baadil ·

      In reply to DS Packets Flooding the Network

      SMB: 1… …. …. …. = STRING type is UNICODE
      SMB: .1.. …. …. …. = 32-bit NT status code
      SMB: ..0. …. …. …. = No Paging IO
      SMB: …0 …. …. …. = No DFS support
      SMB: …. 1… …. …. = Client aware of extended security
      SMB: …. …. …. .1.. = Use message authentication
      SMB: …. …. …. ..1. = Client supports extended attributes
      SMB: …. …. …. …1 = Client supports Long file names
      SMB: Process ID (High) = 0000 (Complete PID = 0000FEFF)
      SMB: Security Signature = A87B7201124E6ED1
      SMB: Reserved (MBZ) = 0000
      SMB: Tree ID= 200C
      SMB: Process ID = FEFF
      SMB: Unauth User ID = D800
      SMB: Multiplex ID= 7CC1
      SMB:
      SMB: —– Write AndX Header —–
      SMB:
      SMB: Word count = 14
      SMB: Parameter words=
      FF00DEDE17C0F4490300FFFFFFFF010000000000C44040000000
      SMB: Byte Count = 16581
      SMB: Byte parameters=
      EE00000000000000000000000000000000000000000000000000
      SMB: AndX command= FF (End of chain)
      SMB: AndX reserved(MBZ) = 00
      SMB: AndX offset= DEDE
      SMB: File handle = C017
      SMB: Starting at file offset = 215540
      SMB: Timeout = Indefinite wait
      SMB: Write mode = 0001
      SMB: …. …. …. 0… = Not start of message (pipes only)
      SMB: …. …. …. .0.. = Don’t use WriteRawNamedPipe (pipes
      only)
      SMB: …. …. …. ..0. = Don’t return smb_remaining
      (pipes/devices only)
      SMB: …. …. …. …1 = Complete write before return
      SMB: Count left= 0
      SMB: Reserved(MBZ)= 0000
      SMB: Bytes in this buffer = 16580
      SMB: Relative offset of data = 64
      SMB: Starting offset(MSL) = 0
      SMB: 64-bit start offset = 215540
      SMB: Byte Count = 16581
      SMB: Data=
      000000000000000000000000000000000000000000000000000000000000
      SMB:

    • #2685298

      Reply To: DS Packets Flooding the Network

      by joseph moore ·

      In reply to DS Packets Flooding the Network

      I am going with a viral infection on your workstations, but probably not Blaster or Welchia. Blaster used source ports 666 or 4177, not what you have listed as a source port. But yes, there are port 445 viruses/trojans. Randex was one. An IRC/Flood was another. Another was the Deloader worm. Go here for port 445 info from SANS:
      http://isc.sans.org/port_details.html?port=445

      So, I would do fully updated antivirus scans of the workstations and the server, make sure everything is also current on patches, check for spyware.

      Good luck.

    • #2685157

      Reply To: DS Packets Flooding the Network

      by kinetechs ·

      In reply to DS Packets Flooding the Network

      Hi,
      Joe is right on the money!

      Network Associates (www.nai.com) has a free product called Stinger. It’s a great tool, fits on a floppy, and will scan the machine for various infections then remove them. Do a search on their site and download it. Booting in Safe Mode and running Stinger will bypass most of the infections.

      Make sure you do a bit of research on each bug it finds. That way, you can plug the hole behind you. Sometimes you need to patch the machine and sometimes it’s something as simple as a weak admin password…at the domain level or locally.

      Good luck,
      Sean

    • #2682097

      Reply To: DS Packets Flooding the Network

      by baadil ·

      In reply to DS Packets Flooding the Network

      This question was closed by the author

Viewing 4 reply threads