DDoS Attacks to several Networks (Switzerland)

From: michi@digicomp.ch
Date: 12/20/01 

To: incidents@securityfocus.com
From: michi@digicomp.ch
Date: Thu, 20 Dec 2001 18:12:15 +0100

Hello there,

Thuesday we've had a DDoS coming from 500 different sources. It was a
"tcp-packet-flood" to unpriviledged ports. The DDoS take our network down
for 2 hours. I called our ISP to block some IP's which has been spammed
with these packets. There wasn't any sheme in the source IP's, looked like
they were spoofed, 500 different hosts are a lot. At the same time two
networks of friends (all in Switzerland) were DDoSed also, with same sheme.
One friend reported that at the same time one box which was running an old
version of ssh was owned, or probably owned by the same guy who did the
DDoS.
I think the "attacker" has found the ip's to attack on IRC. The attacks
started from 2pm until 5pm (CET).

Greetings

Michi
-------------------------------------------------
DIGICOMP AG
Michi Zaugg
Network & Security
Limmatstr. 50
8005 Zuerich

mailto: michi@digicomp.ch
mob: +41 (0) 79 245 75 34
tel: +41 (0) 1 447 21 46
fax: +41 (0) 1 447 21 51
-------------------------------------------------
- we're the dot in .digicomp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: Intrusion prevention and dDos protection
    ... In terms of dropping traffic on the edge, again a DDOS can overwhelm the ... control the switching of network traffic and the amount of CPU interrupts ... >> technical IT security event. ... >> sponsors. ...
    (Focus-IDS)
  • Re: Attacks DDoS
    ... On Thu, 6 Dec 2001, Ronan Lucio wrote: ... > Does anybody know if is there a way to find out where a DDoS attack ... the owners of that network. ... commands to the various zombie/slave machines. ...
    (FreeBSD-Security)
  • Re: fxp(4) and lockups on RELENG_6_x
    ... We are running an server that under high-rate traffic (ie. DDoS ... attack) stops to respond to the network. ...
    (freebsd-stable)
  • fxp(4) and lockups on RELENG_6_x
    ... We are running an server that under high-rate traffic (ie. DDoS ... attack) stops to respond to the network. ...
    (freebsd-stable)
  • RE: Private addresses on public network
    ... anybody accesses those computers from an external network," -- even when the ... JavaScript delivered to the client that causes the client to retrieve ... the attacker, the request results in another JavaScript response that tells ... Moving beyond a single server ...
    (Security-Basics)