[Dshield] RE: sdbot variant and WS 55808 activity

Willi Web Willi.Web at mail4web.de
Fri Jun 20 12:25:45 GMT 2003

Richard Ginski wrote Thursday, June 19, 2003 11:56 AM

> Some additional info. The mention of "Day 0" might be of concern.
> http://www.eweek.com/article2/0,3959,1130765,00.asp

This article begs some questions:

Where is "Day 0" coded into the packets? If it is there, it is
interesting as a clue to meaning of the rest of the packets. As ominous
as it sounds, I don't read too much meaning into the phrase itself - it
could be just empty bluster on the part of the author. If it is for
real, we're already past Day 30 anyway.

Is there concensus that all sources are spoofed? For me the majority of
the probes come from a single spoofed address unique (or nearly unique)
to each target. But each target also gets hits from addresses with valid
rDNS and live routes. These source addresses are hitting multiple
targets and don't look spoofed to me. Of course the packet crafting
makes it difficult to judge this for certain.

Can't a few ISPs put a trace on the valid addresses that hit multiple
sites, to determine whether the traffic is being routed along a path
consistent with the apparent source address? I'm sure it is next to
impossible to get a full trace to the source, with the multiple carriers
and privacy policies and national laws along the way. Maybe this has
already been done and it has been proven that ALL sources are forged,
but that does not look likely based on my own limited captures.

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com

More information about the list mailing list