Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: RE: DoS, possibly spoofed IP Addresses

RE: DoS, possibly spoofed IP Addresses

From: Jupp, Peter <JuppP_at_ottawapolice.ca>
Date: Wed, 3 Apr 2002 09:55:30 -0500

Hi Murat,
The best reading I've done about DoS attacks was courtesy of Steve Gibson, look here http://grc.com/dos/grcdos.htm , of particular interest elsewhere on Mr Gibson's site is the information about Windows XP raw sockets, which deliver IP spoofing capability to the masses.
Good Luck,
Peter.

-----Original Message-----
From: mahmut korkmaz [mailto:mahmutkorkmaz_at_hotmail.com]
Sent: Monday, April 01, 2002 9:16 PM
To: incidents_at_securityfocus.com
Subject: DoS, possibly spoofed IP Addresses

Folks,

I have been dealing with this DoS attack for a long while. Actually, my
problem is not identifying the attack, yet mine is about tracing the source
IP.

My SNORT logs show that, this guys is trying to hack into DNS server over
UDP. In the payloads of the packet i see those "/bin/sh" string. There is
no other clue about the exploit he is trying on. It is causing a DoS, at the
end of the day. Driving me NUTs :( Consuming all my bandwith.... Then again
the same cycle... Call the ISP, block the guy and keep searching....

I am trying to block this guy from the ISP. However he is changing the IP
all the time. Whenever i try to trace the IP, it is either not alive, or the
ISP of the IP says, they see no traffic from that guy. I am almost sure that
he is spoofing the IP.

By the way, tracing this guy, by talking one ISP another is also not
helpful... Because it is time killing, trying to convince the NOC guy of ISP
to check the routers for us and staff like that.... Most of the time they
reject at first to check the routers, because we are not their customer and
so on...

So, the bottom line is, have you ever been to a similar position before, if
so what was your life-boat ?

Any comments....

Murat

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 03 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos