Security Incidents mailing list archives
Re: DDoS attack.
From: Bugtraq Mailing Lists <bugtraq () bugtraq towardex com>
Date: Sun, 27 Jan 2002 13:31:30 -0500 (EST)
you should start implementing ingress filtering on your routers so that this spoofed attack will not happen again by your end users. if you have a cisco based router: conf t int e0/0 <-- do this on all of your interfaces ip verify unicast reverse-path if you have an ISis or other linux based router/firewall: echo 1 > /proc/sys/net/ipv4/conf/_ALL_INTERFACES_/rp_filter On Fri, 25 Jan 2002, Daniel F. Chief Security Engineer - wrote:
Im looking for help tracing this attack down. Its coming from my network with spoofed IPs to 216.200.108.194 IP which is not on my network so its and outbound attack. Also none of the source IPs are on my network. I have blocked the outgoing traffic at the firewalls so it is not leaving my network. Here is a short tcpdump if the traffic. 11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S 1667351577:1667351577(0) win 65535 11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S 1116047630:1116047630(0) win 65535 11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S 2101768472:2101768472(0) win 65535 11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S 1399051237:1399051237(0) win 65535 11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S 417777474:417777474(0) win 65535 It got all the signs of a dDoS attack window size is always the same dst ports are incrementing by one every time. and the source IP is randomized. I cannot fine the machine(s) that are generating this as I have a very large interconnected(cluster $#@!) network that inherited which comatins well over 1600 hosts. TIA ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Glenn Forbes Fleming Larratt (Jan 25)
- Re: DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Bugtraq Mailing Lists (Jan 27)
- Re: DDoS attack. Stanislav N. Vardomskiy (Jan 28)
- Re: DDoS attack. Patrick Oonk (Jan 28)
- Re: DDoS attack. Wichert Akkerman (Jan 28)
- Re: DDoS attack. Stanislav N. Vardomskiy (Jan 28)
- <Possible follow-ups>
- Re: DDoS attack. Neil Dickey (Jan 25)
- RE: DDoS attack. Boyan Krosnov (Jan 25)
- Re: DDoS attack. Glenn Forbes Fleming Larratt (Jan 25)