[Dshield] RE: RESOLUTION: Am I being used for DOS or something worse
malguy_v at epita.fr
Mon Jul 15 10:00:31 GMT 2002
an another link from Gibson Research Corporation :
On Thu, 11 Jul 2002, Smith, Donald wrote:
> I am interested in the packets.
> This type of ddos is called a distributed reflector ddos.
> Is a good link for Vern Paxsons paper on reflector ddos attacks.
> Donald.Smith at qwest.com GCIA
> QIS/WWN Security
> 303-226-9939 Office
> 720-320-1537 cell
> > -----Original Message-----
> > From: Tim Rushing [mailto:dshield at threenorth.com]
> > Sent: Thursday, July 11, 2002 10:24 AM
> > To: intrusions at incidents.org; list at dshield.org
> > Subject: RESOLUTION: Am I being used for DOS or something worse
> > I'd like to start by thanking everyone for the many on and off list
> > suggestions and offers to help.
> > I thought I would report back with the results of my
> > investigation. Quick
> > re-cap, I wrote in panicked because my dedicated server had
> > initiated a
> > restart as I was investigating a rather odd series of SYN
> > packets that did
> > not respond to my SYN/ACK from dios.net. In the course of
> > investigation, I
> > had used ipchains to close off this machine from almost all
> > IP traffic.
> > The reset does appear to have been initiated by my hosting
> > company when my
> > closing down of the machine caused it to appear as if it were
> > down to their
> > monitoring system. Dios.net and associated networks in
> > 126.96.36.199 and
> > 188.8.131.52 were under a large DDOS at the time.
> > Whoever the attackers were, it appears that they were using
> > me to multiply
> > and obfuscate their attack. They were spoofing SYN packets from the
> > machines under attack, which resulted in my machine sending back 8
> > SYN/ACK's for every SYN packet received. They appeared to be
> > attacking
> > different machines within the network, but some of the SYN
> > packets appeared
> > to be from the broadcast network address 184.108.40.206.
> > It looks as though wherever these packets were coming from, they were
> > sending each of my ip's a single SYN packet roughly every 40
> > - 60 seconds,
> > so the load on me was negligient and probably light enough
> > that I would
> > have done little even if I had been alerted by any automated warning
> > systems, which I was not.
> > I've never bothered to install SNORT because I'm an all but
> > non-existent
> > target, this is not even close to a mission critical machine,
> > I'm zealous
> > about keeping up on patches and not running much on the
> > system in question
> > but what I need. However, it disturbs me that the only
> > reason I caught
> > this was that I happened to run a netstat at the appropriate
> > time. Would
> > SNORT or any other tools detect incomplete tcp handshakes
> > without putting
> > too much of a load on a very small underpowered system?
> > I have some full packet captures, if anyone is interested.
> > ---Tim Rushing
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list