[Dshield] RE: sdbot variant and WS 55808 activity

James C. Slora, Jr. Jim.Slora at phra.com
Thu Jun 19 17:32:53 GMT 2003

Richard Ginski wrote Thursday, June 19, 2003 11:56 AM

> Some additional info. The mention of "Day 0" might be of concern.
> http://www.eweek.com/article2/0,3959,1130765,00.asp

This article begs some questions:

Where is "Day 0" coded into the packets? If it is there, it is
interesting as a clue to meaning of the rest of the packets. As ominous
as it sounds, I don't read too much meaning into the phrase itself - it
could be just empty bluster on the part of the author. If it is for
real, we're already past Day 30 anyway.

Is there concensus that all sources are spoofed? For me the majority of
the probes come from a single spoofed address unique (or nearly unique)
to each target. But each target also gets hits from addresses with valid
rDNS and live routes. These source addresses are hitting multiple
targets and don't look spoofed to me. Of course the packet crafting
makes it difficult to judge this for certain.

Can't a few ISPs put a trace on the valid addresses that hit multiple
sites, to determine whether the traffic is being routed along a path
consistent with the apparent source address? I'm sure it is next to
impossible to get a full trace to the source, with the multiple carriers
and privacy policies and national laws along the way. Maybe this has
already been done and it has been proven that ALL sources are forged,
but that does not look likely based on my own limited captures.

More information about the list mailing list