[Dshield] RE: RESOLUTION: Am I being used for DOS or something worse

Smith, Donald Donald.Smith at qwest.com
Thu Jul 11 16:37:26 GMT 2002


I am interested in the packets.
This type of ddos is called a distributed reflector ddos.

http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html
Is a good link for Vern Paxsons paper on reflector ddos attacks.

Donald.Smith at qwest.com GCIA
QIS/WWN Security
303-226-9939 Office
720-320-1537 cell

> -----Original Message-----
> From: Tim Rushing [mailto:dshield at threenorth.com]
> Sent: Thursday, July 11, 2002 10:24 AM
> To: intrusions at incidents.org; list at dshield.org
> Subject: RESOLUTION: Am I being used for DOS or something worse
> 
> 
> I'd like to start by thanking everyone for the many on and off list 
> suggestions and offers to help.
> 
> I thought I would report back with the results of my 
> investigation.  Quick 
> re-cap, I wrote in panicked because my dedicated server had 
> initiated a 
> restart as I was investigating a rather odd series of SYN 
> packets that did 
> not respond to my SYN/ACK from dios.net.  In the course of 
> investigation, I 
> had used ipchains to close off this machine from almost all 
> IP traffic.
> 
> The reset does appear to have been initiated by my hosting 
> company when my 
> closing down of the machine caused it to appear as if it were 
> down to their 
> monitoring system.  Dios.net and associated networks in 
> 65.222.225.0 and 
> 65.222.227.0 were under a large DDOS at the time.
> 
> Whoever the attackers were, it appears that they were using 
> me to multiply 
> and obfuscate their attack.  They were spoofing SYN packets from the 
> machines under attack, which resulted in my machine sending back 8 
> SYN/ACK's for every SYN packet received.  They appeared to be 
> attacking 
> different machines within the network, but some of the SYN 
> packets appeared 
> to be from the broadcast network address 65.222.227.255.
> 
> It looks as though wherever these packets were coming from, they were 
> sending each of my ip's a single SYN packet roughly every 40 
> - 60 seconds, 
> so the load on me was negligient and probably light enough 
> that I would 
> have done little even if I had been alerted by any automated warning 
> systems, which I was not.
> 
> I've never bothered to install SNORT because I'm an all but 
> non-existent 
> target, this is not even close to a mission critical machine, 
> I'm zealous 
> about keeping up on patches and not running much on the 
> system in question 
> but what I need.  However, it disturbs me that the only 
> reason I caught 
> this was that I happened to run a netstat at the appropriate 
> time.  Would 
> SNORT or any other tools detect incomplete tcp handshakes 
> without putting 
> too much of a load on a very small underpowered system?
> 
> I have some full packet captures, if anyone is interested.
> 
>          ---Tim Rushing
> 




More information about the list mailing list