[Dshield] RE: RESOLUTION: Am I being used for DOS or something worse

vincent malguy malguy_v at epita.fr
Mon Jul 15 10:00:31 GMT 2002


an another link from Gibson Research Corporation :
http://grc.com/dos/drdos.htm

On Thu, 11 Jul 2002, Smith, Donald  wrote:

> I am interested in the packets.
> This type of ddos is called a distributed reflector ddos.
>
> http://www.icir.org/vern/papers/reflectors.CCR.01/reflectors.html
> Is a good link for Vern Paxsons paper on reflector ddos attacks.
>
> Donald.Smith at qwest.com GCIA
> QIS/WWN Security
> 303-226-9939 Office
> 720-320-1537 cell
>
> > -----Original Message-----
> > From: Tim Rushing [mailto:dshield at threenorth.com]
> > Sent: Thursday, July 11, 2002 10:24 AM
> > To: intrusions at incidents.org; list at dshield.org
> > Subject: RESOLUTION: Am I being used for DOS or something worse
> >
> >
> > I'd like to start by thanking everyone for the many on and off list
> > suggestions and offers to help.
> >
> > I thought I would report back with the results of my
> > investigation.  Quick
> > re-cap, I wrote in panicked because my dedicated server had
> > initiated a
> > restart as I was investigating a rather odd series of SYN
> > packets that did
> > not respond to my SYN/ACK from dios.net.  In the course of
> > investigation, I
> > had used ipchains to close off this machine from almost all
> > IP traffic.
> >
> > The reset does appear to have been initiated by my hosting
> > company when my
> > closing down of the machine caused it to appear as if it were
> > down to their
> > monitoring system.  Dios.net and associated networks in
> > 65.222.225.0 and
> > 65.222.227.0 were under a large DDOS at the time.
> >
> > Whoever the attackers were, it appears that they were using
> > me to multiply
> > and obfuscate their attack.  They were spoofing SYN packets from the
> > machines under attack, which resulted in my machine sending back 8
> > SYN/ACK's for every SYN packet received.  They appeared to be
> > attacking
> > different machines within the network, but some of the SYN
> > packets appeared
> > to be from the broadcast network address 65.222.227.255.
> >
> > It looks as though wherever these packets were coming from, they were
> > sending each of my ip's a single SYN packet roughly every 40
> > - 60 seconds,
> > so the load on me was negligient and probably light enough
> > that I would
> > have done little even if I had been alerted by any automated warning
> > systems, which I was not.
> >
> > I've never bothered to install SNORT because I'm an all but
> > non-existent
> > target, this is not even close to a mission critical machine,
> > I'm zealous
> > about keeping up on patches and not running much on the
> > system in question
> > but what I need.  However, it disturbs me that the only
> > reason I caught
> > this was that I happened to run a netstat at the appropriate
> > time.  Would
> > SNORT or any other tools detect incomplete tcp handshakes
> > without putting
> > too much of a load on a very small underpowered system?
> >
> > I have some full packet captures, if anyone is interested.
> >
> >          ---Tim Rushing
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>




More information about the list mailing list