DoS yesterday

From: Dmitri Smirnov (Dmitri.Smirnov@roundheaven.com)
Date: 03/26/02

• Previous message: zeno: "Re: watching them -after the fact"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 26 Mar 2002 13:24:00 -0800
From: "Dmitri Smirnov" <Dmitri.Smirnov@roundheaven.com>
To: <incidents@securityfocus.com>

Hello,

yesterday we've got about 150,000 HTTP requests with diff. source IPs (121,000 unique) to a single host in 2-5 mins. interval.
According to logs all source IPs are spoofed.
Almost each HTTP request produced an ICMP connection from spoofed IP (port unreach, network unreach, etc).

It looks like a probe before a serious DoS attack.

Does it looks like a new DoS tool?

What could you recommend to do?

Where is no way to find out a mastermind since attack was short, isn't it?

Dmitri Smirnov, SSCP

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: zeno: "Re: watching them -after the fact"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-03