Re: DDoS attack.

From: Neil Dickey (neil@geol.niu.edu)
Date: 01/25/02


Date: Fri, 25 Jan 2002 13:14:48 -0600 (CST)
From: Neil Dickey <neil@geol.niu.edu>
To: danielf@supportteam.net, incidents@securityfocus.com


"Daniel F. Chief Security Engineer -" <danielf@supportteam.net>

>Im looking for help tracing this attack down. Its coming from my network with
>spoofed IPs to 216.200.108.194 IP which is not on my network so its and
>outbound attack. Also none of the source IPs are on my network.

I'm no expert, but ...

Can you configure your IDS to pick up the card address of the source, or
would that only give you an internal router? Even that might help, I
suppose. You could then move inside that router's space, do it again,
and continue until you had narrowed the suspects to a manageable number.

I don't envy you your challenge!

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com