IRC DDoS bots

• Previous message: Martin Roesch: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"
• Next in thread: Johannes Ullrich: "Re: IRC DDoS bots"
• Reply: Johannes Ullrich: "Re: IRC DDoS bots"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "grwolf" <grwolf@adelphia.net>
To: <incidents@securityfocus.com>, <secured@infatech.net>
Date: Fri, 14 Mar 2003 03:04:12 -0500

A friend of mine lost his DSL line due to a denial of server attack...
we managed to find the owner of one of the ip addresses, and they were very
cooperative with us..

attack:
20:19:38.488323 61.215.165.200.3276 > 200.43.45.132.1915: udp 801

Information from infected host:
Active Connections

  Proto Local Address Foreign Address State
  TCP 61.215.165.200:445 200.43.216.58:4286 ESTABLISHED
  TCP 61.215.165.200:1029 152.98.204.61:6667 ESTABLISHED

[variables]
n0=%server orgazmo.wxmail.net
n1=%timeout 5
n2=%chan #!HardBall

Official Name: orgazmo.wxmail.net
IP Address: 152.98.204.61

It's another mIRC based DDoS trojan that scans for NT-Password and IIS
unicode exploits.
So the next questions is... How do we go about apprehending the culprits?
Can we somehow get wxmail.net revoked?
Apparently the DoS attacks caused a lot of damage for my buddy's isp, and
many of their customers were affected. Needless to say his servive was
revoked.
I have seen a lot of these mIRC based trojans, and they seem to be getting
more and more rampant every day...like roaches...
Other people I have worked with have been seeing the same trends, are there
any active organizations work against these 'IRC bots' ?

Any information is appreciated
Sincerely,
G. R. Wolf
infatech security team

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

• Previous message: Martin Roesch: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"
• Next in thread: Johannes Ullrich: "Re: IRC DDoS bots"
• Reply: Johannes Ullrich: "Re: IRC DDoS bots"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Why bandwidth consuming ddos attack using only udp or icmp? ... I know already the difference of tcp and other stateless protocol. ... I presume you are asking 'whether a TCP-based bandwidth ... the only traffic that your attack is is going to consume is the ... Why bandwidth consuming ddos attack using only udp or icmp? ... (Security-Basics) RE: Why bandwidth consuming ddos attack using only udp or icmp? ... There is a limit on the size of each TCP packet. ... You would not consider sending 4.5 MB to a server a bandwidth attack. ... Why bandwidth consuming ddos attack using only udp or icmp? ... (Security-Basics) Re: Why bandwidth consuming ddos attack using only udp or icmp? ... UDP data sizes can be much larger than tcp. ... its use for packet management of existing streams. ... You would not consider sending 4.5 MB to a server a bandwidth attack. ... Why bandwidth consuming ddos attack using only udp or icmp? ... (Security-Basics) Re: Denial of Service: Commercial Defense products ... Some DDoS tools will certainly be picked up by this mechanism especially the more popular attack tools. ... TCP sequence number. ... TCP checksum. ... (Focus-IDS) Re: Denial of Service: Commercial Defense products ... Some of these fields will have to be at least bounded inside certain intervals - otherwise the attack will not be really effective or will not reach its victim. ... there is no 100% bullet proof solution against DDoS attacks. ... TCP sequence number. ... TCP checksum. ... (Focus-IDS)