Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: could be slice?

Re: could be slice?

From: Ryan Sweat <h3xm3_at_SWBELL.NET>
Date: Sat, 16 Dec 2000 19:13:30 -0600

     There are many tools that can send this kind of attack. Most ddos
tools include this, although distributed dos is not required to render a box
useless. A piece of code written a while back, stream.c, is still very
effective. In effect it sends spoofed tcp connects to random ports.
Routers are vulnerable too. This is not a bandwith attack, it is most
likely that traffic to the rest of the network will be functional.

Here is a link to stream.c
ftp://ftp.technotronic.com/denial/stream-DoS.txt

ryan

----- Original Message -----
From: "Guilherme Mesquita" <guy_at_LINUXBR.COM.BR>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Saturday, December 16, 2000 5:00 PM
Subject: Re: could be slice?

> Unfortunately you'll only be able to avoid this kind of attack using a
> powerful filter in your gateway but you must be careful: this need to be
if
> possible, in your backbone. You won't be able to protect yourself from
your
> own box. But you can also check the option for TCP_SYN_COOKIES in your
> kernel. This might help with excessive memory usage with TCP connections
> (this is one of the effects those DoS SYN/ACK tools cause)
>
> Well I think that's it. IPCHAINS isn't enough for this...
>
> On Mon, 11 Dec 2000, Andrita Constantin wrote:
> > Date: Mon, 11 Dec 2000 11:52:19 +0200
> > To: INCIDENTS_at_SECURITYFOCUS.COM
> > From: Andrita Constantin <aconstantin_at_EXPERT.RO>
> > Reply-To: Andrita Constantin <aconstantin_at_EXPERT.RO>
> > Sender: Incidents Mailing List <INCIDENTS_at_SECURITYFOCUS.COM>
> > Subject: could be slice?
> >
> > Hello
> >
> > For two weeks now I'm facing a problem with floods almost on a daily
> > basis.
> >
> > I get 3000 and more TCP SYN connections from random hosts. I've been
> > told that this might be generated by a tool called slice.
> >
> > Can somebody point me in the right direction to find out how can I trace
> > the flooder?
> >
> > Or can I do something to prevent/stop these attacks?
> >
> > Regards
> >
> > Andrita Constantin
> > ------------------------------------------------
> > Is it progress if a cannibal uses a knife and fork?
> --
> .--------------------.
> | Guilherme Mesquita |
> | guy_at_linuxbr.com.br |
> | UIN # 5864338 |
> `--------------------'
Received on Dec 18 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos