[Dshield] Some information regarding possible attack

vincent malguy malguy_v at epita.fr
Sun May 19 17:28:31 GMT 2002


Hi all,

> I looked at the packets, and it looks like they all have the SYN flag set -
> but nothing else.  That might explain the lack of a payload (data), as these
> may be connection attempts.  An interesting lot - these IPs are all over the
> place, some of them belong to fairly sensitive places (at least, I would
> categorize the Defense Information Systems Agency as such.)
>

and

> > transmitting something to the Internet. I downloaded evaluation version of
> > CommView 3.3 and saw that it was sending thousands of records to different
> > IP addresses to TCP port 80. Upon analyzing the packets, found out that it
> > had no data, just Ethernet, IP and TCP headers. Since it is sending tens
> of
> > thousands, if not hundreds of thousands, packets per minute to different
> > destinations -- all on port 80 of destination machines -- the rest of the
> > network has become very very slow. I have checked for viruses using latest
> > anti virus and latest patches, but found no viruses. As a last ditch


Make me think about a DRDoS : http://grc.com/dos/drdos.htm but i cant be
sure since i dont have all the data.

if the packet was just SYN , destinated to a high bandwith host (like core
internet routers) with spoofed originated adresses (an another web-server)
, it might be a DRDoS tools that generate this attack (first in the
wild?)..

If it s  right , it would be a  good action to investigate a little bit
this tools.

So Long, Vinz




More information about the list mailing list