We help IT Professionals succeed at work.

What is the SXE attack

Jerryleo
Jerryleo asked
on
I am sorry for my poor English.

Today, I get a attack alarm said that I am under SXE attacking from one machine in my LAN. When I trace back, I found this machine is a gateway. This machine installed win 2000. No any service installed on this machine but Route and Remote access service. It's a router in my LAN.

What is the SXE attack? And I how to trace back and find who is the real attacker?

Thanks!
Comment
Watch Question

Commented:
What alarmed you of the SXE attack?  As I have never heard of it.

Commented:
All that I can find on this virus is that it is a Denial of Service attack using IGMP.  This vulnerability should not be present in windows 2000.  

Commented:
i've never heard of it either, but i'm guessing it's a forged attack.  the simple fix is to deny spoofing at all external routers, which is a good idea anyway.

Author

Commented:
Now there are more machines under attacking, and the attack comes from several different machines. It likes a DDoS attack. I only can trace back to gateway. The attack comes from internal LAN not external. How can I trace back the real attack? And How can I set my win2000 machine to trace or log the attack?

Author

Commented:
By the way, how to deny spoofing at router? My router is a machine running windows 2000 adv server.
Commented:
> how to deny spoofing at router?

with a firewall...since you're running 2k on the router, look for topics on 'isa' on microsoft's site.

> The attack comes from internal LAN not external.

maybe...maybe not...
if you deny spoofing, and the attack continues, then the attack really is coming from the internal network (look for bot's, trojans, etc.)...a decent utility to use to determine this is fport from foundstone.

> And How can I set my win2000 machine to trace or log the attack?

at this point, logging is a null issue, the data you would receive would not be reliable.  but it would be instrumental in analyzing an attack in the future.

tracing the attack would depend on the what type of attack this actually is.

If you got NT, you also got ability to see some packets with its Network Monitor program.

Commented:
What IDS do you use ?
What code does it give this attack ?
What does the manual say it is ?
Are you sure it's not a false positive ?

Author

Commented:
>What IDS do you use ?
The KV3000, a anti virus program integrated some firewall function, reports it. It only reports "under SXE attack, reference IP is xxx.xxx.xxx.xxx". And different IP address change by turn. But all the IP address are the gateway machine's IP.

>What code does it give this attack ?
What I know about SXE attack is that sXe sends IGMP packets, denying service to windows machines.  I do not know more about it.

Wheather it is a false positive or not? I do not know. But this last about a week. This alarm message first began a week ago and continual report. But the alarm never appears before.

I still not find the real attack now. And I do not know how to trace the attacker.
I use windows 2000 adv server as my gateway. What I want to know is how to config the server to trace the attacker?

Commented:
> The KV3000
that's not an ids, but it's good to have.

> What I want to know is how to config the server to trace
the attacker?

here's the problem, the server will only see what is coming in (it will not be able to decipher any thing outside of what you could do from a network dump).

to _trace_ this back you would need the help of many upstream providers while the attack is occuring.  most providers are getting better about this, but you will still find opposition, as there appears to be a simple fix on your end.

Author

Commented:
Thanks and sorry for leaving it hanging a long time.

Author

Commented:
Thanks and sorry for leaving it hanging a long time.