Re: DDoS Attack

From: Angelz (angel_at_dgtalstudios.com)
Date: 05/23/03

  • Next message: Justin Pryzby: "Re: DDoS Attack"
    To: "Steven Shepherd" <steven@valueweb.com>, <incidents@securityfocus.com>
    Date: Fri, 23 May 2003 00:12:10 +0100
    
    

    How many unique IPs are attacking you? Is it consuming too much bandwidth or
    straining cpu/memory?
    This will largely be the deciding factor in your response to it.

    As this is a complete TCP connection to your webserver, the IPs obviously
    cannot be spoofed. This is good news as it makes defending from it alot
    easier.
    I suggest asking your upsteam(s) to filter all the IPs involved. It's likely
    they'll have their own way of combating it; you need to speak to them.

    If you could send me a list of the infected IPs it would be greatly
    appreciated.

    http://www.securityfocus.com/archive/75/270867 -- The same string was sent
    in this attack, may be worth reading.

    Good luck,

    -A

    ----- Original Message -----
    From: "Steven Shepherd" <steven@valueweb.com>
    To: <incidents@securityfocus.com>
    Sent: Thursday, May 22, 2003 6:13 PM
    Subject: DDoS Attack

    > Our parent company is experiencing a very odd/severe DDoS attack coming
    > from all over the place. For the most part, the attack is occuring at
    > the Apache level. Log files show this request:
    >
    > [Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request
    > failed: erroneous characters after protocol string: -nb GET
    >
    !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^
    @)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&
    !*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
    > GET
    >
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb
    > GET
    >
    !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^
    @)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&
    !*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
    > GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
    > +ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
    > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
    > + +ATH0+
    >
    > Scans of some of the attacking IP's show BackOrifice installations.
    >
    > Has anyone had this sort of attack and what would be the best way to
    > combat it? Not much luck from the upstream(s) thus far.
    >
    >
    >
    > --------------------------------------------------------------------------

    --
    > *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    > Just like wired networks, wireless LANs require network security policies
    > that are enforced to protect WLANs from known vulnerabilities and threats.
    > Learn to design, implement and enforce WLAN security policies to lockdown
    enterprise WLANs.
    >
    > To get your FREE white paper visit us at:
    > http://www.securityfocus.com/AirDefense-incidents
    > --------------------------------------------------------------------------
    --
    >
    >
    >
    ---
    Outgoing mail is certified virus free by smtp.webchatx.org
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.483 / Virus Database: 279 - Release Date: 20/05/2003
    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies 
    that are enforced to protect WLANs from known vulnerabilities and threats. 
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
    To get your FREE white paper visit us at:    
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------
    

  • Next message: Justin Pryzby: "Re: DDoS Attack"

    Relevant Pages

    • Re: [ANNOUNCE] protocol watcher
      ... attack, which is known to be a SYN attack! ... wireless LANs require network security policies ... > that are enforced to protect WLANs from known vulnerabilities and threats. ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • Re: IPS, alternative solutions
      ... they're populated with attack patterns (hopefully in advance of those ... so then why IPS? ... > information on screens and printers, including JPEG image files. ... > - Embedded in Word sent as a MIME encoded mail ...
      (Focus-IDS)
    • RE: need your help about IPS and IDS,thanks
      ... We run a SOC with IPSes. ... cause a DoS at high bandwidth), you can mitigate the attack without taking ... traditional firewall and IDS vendors try to protect their market shares. ... The main difference in my opinion is that IPS are inline and can therefore ...
      (Focus-IDS)
    • AW: IPS - Cisco vs. McAfee vs. Tippingpoint
      ... Cisco IPS 4200 Series Sensor ... serious DDoS attack from the customer end. ... A guide to understanding SSL certificates, ...
      (Focus-IDS)
    • Re: IPS, alternative solutions
      ... >>I think we can all agree that IPS is no replacement for Patch ... including JPEG image files. ... What we have are the following network attack vectors which come to mind ... Embedded in Word sent as a MIME encoded mail ...
      (Focus-IDS)