Re: DDoS Attack
From: Tim Greer (chatmaster_at_charter.net)
Date: 05/22/03
- Previous message: Thomas, Frank: "RE: Possible Intrusion Attempt?"
- In reply to: Steven Shepherd: "DDoS Attack"
- Next in thread: Angelz: "Re: DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Steven Shepherd" <steven@valueweb.com>, <incidents@securityfocus.com> Date: Thu, 22 May 2003 13:05:01 -0700
This attack is launched from infected IRC installs on Windows systems (of
course Windows). You may need to null route the IP and buy some time. You
could set up something to filter the headers or requests and have it
automatically firewall them out and drop the connections, but then it'll
probably just hit harder and faster anyway. I'm not sure what to suggest at
the moment, sorry.
-- Regards, Tim Greer chatmaster@charter.net Server administration, security, programming, consulting. ----- Original Message ----- From: "Steven Shepherd" <steven@valueweb.com> To: <incidents@securityfocus.com> Sent: Thursday, May 22, 2003 10:13 AM Subject: DDoS Attack > Our parent company is experiencing a very odd/severe DDoS attack coming > from all over the place. For the most part, the attack is occuring at > the Apache level. Log files show this request: > > [Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request > failed: erroneous characters after protocol string: -nb GET > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^ @)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^& !*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb > GET > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb > GET > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^ @)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^& !*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb > GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + > +ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ > + +ATH0+ > > Scans of some of the attacking IP's show BackOrifice installations. > > Has anyone had this sort of attack and what would be the best way to > combat it? Not much luck from the upstream(s) thus far. > > > > -------------------------------------------------------------------------- -- > *** Wireless LAN Policies for Security & Management - NEW White Paper *** > Just like wired networks, wireless LANs require network security policies > that are enforced to protect WLANs from known vulnerabilities and threats. > Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. > > To get your FREE white paper visit us at: > http://www.securityfocus.com/AirDefense-incidents > -------------------------------------------------------------------------- -- > ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
- Previous message: Thomas, Frank: "RE: Possible Intrusion Attempt?"
- In reply to: Steven Shepherd: "DDoS Attack"
- Next in thread: Angelz: "Re: DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
