Re: DDoS attack.

From: Bugtraq Mailing Lists (bugtraq@bugtraq.towardex.com)
Date: 01/27/02 

Date: Sun, 27 Jan 2002 13:31:30 -0500 (EST)
From: Bugtraq Mailing Lists <bugtraq@bugtraq.towardex.com>
To: "Daniel F. Chief Security Engineer -" <danielf@supportteam.net>

you should start implementing ingress filtering on your routers
so that this spoofed attack will not happen again by your end users.

if you have a cisco based router:
conf t
int e0/0 <-- do this on all of your interfaces
ip verify unicast reverse-path

if you have an ISis or other linux based router/firewall:
echo 1 > /proc/sys/net/ipv4/conf/_ALL_INTERFACES_/rp_filter

On Fri, 25 Jan 2002, Daniel F. Chief Security Engineer - wrote:

> Im looking for help tracing this attack down. Its coming from my network with
> spoofed IPs to 216.200.108.194 IP which is not on my network so its and
> outbound attack. Also none of the source IPs are on my network.
>
> I have blocked the outgoing traffic at the firewalls so it is not leaving my
> network.
>
> Here is a short tcpdump if the traffic.
> 11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S
> 1667351577:1667351577(0) win 65535
> 11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S
> 1116047630:1116047630(0) win 65535
> 11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S
> 2101768472:2101768472(0) win 65535
> 11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S
> 1399051237:1399051237(0) win 65535
> 11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S
> 417777474:417777474(0) win 65535
>
> It got all the signs of a dDoS attack window size is always the same dst
> ports are incrementing by one every time. and the source IP is randomized. I
> cannot fine the machine(s) that are generating this as I have a very large
> interconnected(cluster $#@!) network that inherited which comatins well over
> 1600 hosts.
>
> TIA
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: FreeBSD router two DSL connections
    ... >> control how traffic goes OUT of your network. ... > filtering is simply wrong. ... el-cheapo DSL routers that are network address translators, ... 7206 VXR's now, any ISP under 10,000 customers can easily ...
    (freebsd-questions)
  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)
  • [Full-disclosure] Re: RLA ("Remote LanD Attack")
    ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
    (Full-Disclosure)
  • RE: ForeScout ActiveScout (was: Re: Intrusion Prevention)
    ... The technology sounds interesting but I have doubts regarding the ... If I for example scan for port 80, ... How do you deal with real network problems that prevent legitimate ... put the product in alert mode waiting for an attack? ...
    (Focus-IDS)