Re: DDoS attack.

From: Neil Dickey (neil@geol.niu.edu)
Date: 01/25/02


Date: Fri, 25 Jan 2002 13:14:48 -0600 (CST)
From: Neil Dickey <neil@geol.niu.edu>
To: danielf@supportteam.net, incidents@securityfocus.com


"Daniel F. Chief Security Engineer -" <danielf@supportteam.net>

>Im looking for help tracing this attack down. Its coming from my network with
>spoofed IPs to 216.200.108.194 IP which is not on my network so its and
>outbound attack. Also none of the source IPs are on my network.

I'm no expert, but ...

Can you configure your IDS to pick up the card address of the source, or
would that only give you an internal router? Even that might help, I
suppose. You could then move inside that router's space, do it again,
and continue until you had narrowed the suspects to a manageable number.

I don't envy you your challenge!

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • DDoS attack.
    ... Im looking for help tracing this attack down. ... Its coming from my network with ... spoofed IPs to 216.200.108.194 IP which is not on my network so its and ... Also none of the source IPs are on my network. ...
    (Incidents)
  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)
  • Re: Asimov Asks "How People Get New Ideas"
    ... the outside adversary picks up the connection and now has ... a neat hole through the firewall -- the plug acts as your "inside ... connect the plug to the host's "normal" network drop. ... This leaves a few other attack modes: ...
    (sci.electronics.design)
  • [Full-disclosure] Re: RLA ("Remote LanD Attack")
    ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
    (Full-Disclosure)