[Dshield] RE: RESOLUTION: Am I being used for DOS or something worse
Donald.Smith at qwest.com
Thu Jul 11 16:37:26 GMT 2002
I am interested in the packets.
This type of ddos is called a distributed reflector ddos.
Is a good link for Vern Paxsons paper on reflector ddos attacks.
Donald.Smith at qwest.com GCIA
> -----Original Message-----
> From: Tim Rushing [mailto:dshield at threenorth.com]
> Sent: Thursday, July 11, 2002 10:24 AM
> To: intrusions at incidents.org; list at dshield.org
> Subject: RESOLUTION: Am I being used for DOS or something worse
> I'd like to start by thanking everyone for the many on and off list
> suggestions and offers to help.
> I thought I would report back with the results of my
> investigation. Quick
> re-cap, I wrote in panicked because my dedicated server had
> initiated a
> restart as I was investigating a rather odd series of SYN
> packets that did
> not respond to my SYN/ACK from dios.net. In the course of
> investigation, I
> had used ipchains to close off this machine from almost all
> IP traffic.
> The reset does appear to have been initiated by my hosting
> company when my
> closing down of the machine caused it to appear as if it were
> down to their
> monitoring system. Dios.net and associated networks in
> 220.127.116.11 and
> 18.104.22.168 were under a large DDOS at the time.
> Whoever the attackers were, it appears that they were using
> me to multiply
> and obfuscate their attack. They were spoofing SYN packets from the
> machines under attack, which resulted in my machine sending back 8
> SYN/ACK's for every SYN packet received. They appeared to be
> different machines within the network, but some of the SYN
> packets appeared
> to be from the broadcast network address 22.214.171.124.
> It looks as though wherever these packets were coming from, they were
> sending each of my ip's a single SYN packet roughly every 40
> - 60 seconds,
> so the load on me was negligient and probably light enough
> that I would
> have done little even if I had been alerted by any automated warning
> systems, which I was not.
> I've never bothered to install SNORT because I'm an all but
> target, this is not even close to a mission critical machine,
> I'm zealous
> about keeping up on patches and not running much on the
> system in question
> but what I need. However, it disturbs me that the only
> reason I caught
> this was that I happened to run a netstat at the appropriate
> time. Would
> SNORT or any other tools detect incomplete tcp handshakes
> without putting
> too much of a load on a very small underpowered system?
> I have some full packet captures, if anyone is interested.
> ---Tim Rushing
More information about the list