[Dshield] RE: RESOLUTION: Am I being used for DOS or something worse

Tim Rushing dshield at threenorth.com
Thu Jul 11 17:06:43 GMT 2002


I'd be curious to hear your analysis.

Thanks for the link, going through it now.

Two tcpdump files in the archive.  The first and smaller just contains 
supposed packets from 65.222.225.3 (because that was the only connection I 
was getting when I first noticed it), but the second contains packets from 
all 65.0.0.0 addresses.  The dedicated box this was located on had four ip 
addresses assigned to it as you can see from the tcpdump data.

Let me know if you want anything else.

        ---Tim

At 10:37 AM 7/11/02 -0600, Smith, Donald wrote:
>I am interested in the packets.
>This type of ddos is called a distributed reflector ddos.
>
>http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html
>Is a good link for Vern Paxsons paper on reflector ddos attacks.
>
>Donald.Smith at qwest.com GCIA
>QIS/WWN Security
>303-226-9939 Office
>720-320-1537 cell
>
> > -----Original Message-----
> > From: Tim Rushing [mailto:dshield at threenorth.com]
> > Sent: Thursday, July 11, 2002 10:24 AM
> > To: intrusions at incidents.org; list at dshield.org
> > Subject: RESOLUTION: Am I being used for DOS or something worse
> >
> >
> > I'd like to start by thanking everyone for the many on and off list
> > suggestions and offers to help.
> >
> > I thought I would report back with the results of my
> > investigation.  Quick
> > re-cap, I wrote in panicked because my dedicated server had
> > initiated a
> > restart as I was investigating a rather odd series of SYN
> > packets that did
> > not respond to my SYN/ACK from dios.net.  In the course of
> > investigation, I
> > had used ipchains to close off this machine from almost all
> > IP traffic.
> >
> > The reset does appear to have been initiated by my hosting
> > company when my
> > closing down of the machine caused it to appear as if it were
> > down to their
> > monitoring system.  Dios.net and associated networks in
> > 65.222.225.0 and
> > 65.222.227.0 were under a large DDOS at the time.
> >
> > Whoever the attackers were, it appears that they were using
> > me to multiply
> > and obfuscate their attack.  They were spoofing SYN packets from the
> > machines under attack, which resulted in my machine sending back 8
> > SYN/ACK's for every SYN packet received.  They appeared to be
> > attacking
> > different machines within the network, but some of the SYN
> > packets appeared
> > to be from the broadcast network address 65.222.227.255.
> >
> > It looks as though wherever these packets were coming from, they were
> > sending each of my ip's a single SYN packet roughly every 40
> > - 60 seconds,
> > so the load on me was negligient and probably light enough
> > that I would
> > have done little even if I had been alerted by any automated warning
> > systems, which I was not.
> >
> > I've never bothered to install SNORT because I'm an all but
> > non-existent
> > target, this is not even close to a mission critical machine,
> > I'm zealous
> > about keeping up on patches and not running much on the
> > system in question
> > but what I need.  However, it disturbs me that the only
> > reason I caught
> > this was that I happened to run a netstat at the appropriate
> > time.  Would
> > SNORT or any other tools detect incomplete tcp handshakes
> > without putting
> > too much of a load on a very small underpowered system?
> >
> > I have some full packet captures, if anyone is interested.
> >
> >          ---Tim Rushing
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dios.ddos.tcpdump.tar.gz
Type: application/octet-stream
Size: 38606 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020711/ddc0668e/dios.ddos.tcpdump.tar.obj


More information about the list mailing list