Re: DDoS Attack

From: Justin Pryzby (justinpryzby_at_users.sourceforge.net)
Date: 05/23/03

  • Next message: Whiteside, Larry [contractor]: "RE: Possible Intrusion Attempt?"
    Date: Fri, 23 May 2003 14:12:22 -0400
    To: Angelz <angel@dgtalstudios.com>
    
    

    FWIW, IP's *may* be spoofed, even if you are seeing a tcp 3-way init.
    It depends on how your server machine generates the IP sequence numbers.
    `nmap -v` is a good gauge of how cryptographically strong it is.

    Justin

    On Thu, May 22, 2003 at 07:12:00PM +0000, Angelz wrote:
    >
    > How many unique IPs are attacking you? Is it consuming too much bandwidth or
    > straining cpu/memory?
    > This will largely be the deciding factor in your response to it.
    >
    > As this is a complete TCP connection to your webserver, the IPs obviously
    > cannot be spoofed. This is good news as it makes defending from it alot
    > easier.
    > I suggest asking your upsteam(s) to filter all the IPs involved. It's likely
    > they'll have their own way of combating it; you need to speak to them.
    >
    > If you could send me a list of the infected IPs it would be greatly
    > appreciated.
    >
    > http://www.securityfocus.com/archive/75/270867 -- The same string was sent
    > in this attack, may be worth reading.
    >
    > Good luck,
    >
    > -A
    >
    >
    > ----- Original Message -----
    > From: 'Steven Shepherd' <steven@valueweb.com>
    > To: <incidents@securityfocus.com>
    > Sent: Thursday, May 22, 2003 6:13 PM
    > Subject: DDoS Attack
    >
    >
    > > Our parent company is experiencing a very odd/severe DDoS attack coming
    > > from all over the place. For the most part, the attack is occuring at
    > > the Apache level. Log files show this request:
    > >
    > > [Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request
    > > failed: erroneous characters after protocol string: -nb GET
    > >
    > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^
    > @)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&
    > !*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
    > > GET
    > >
    > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb
    > > GET
    > >
    > !@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^
    > @)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&
    > !*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb
    > > GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
    > > +ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
    > > + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
    > > + +ATH0+
    > >
    > > Scans of some of the attacking IP's show BackOrifice installations.
    > >
    > > Has anyone had this sort of attack and what would be the best way to
    > > combat it? Not much luck from the upstream(s) thus far.
    > >
    > >
    > >
    > > --------------------------------------------------------------------------
    > --
    > > *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    > > Just like wired networks, wireless LANs require network security policies
    > > that are enforced to protect WLANs from known vulnerabilities and threats.
    > > Learn to design, implement and enforce WLAN security policies to lockdown
    > enterprise WLANs.
    > >
    > > To get your FREE white paper visit us at:
    > > http://www.securityfocus.com/AirDefense-incidents
    > > --------------------------------------------------------------------------
    > --
    > >
    > >
    > >
    >
    >
    > ---
    > Outgoing mail is certified virus free by smtp.webchatx.org
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.483 / Virus Database: 279 - Release Date: 20/05/2003
    >
    >
    > ----------------------------------------------------------------------------
    > *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    > Just like wired networks, wireless LANs require network security policies
    > that are enforced to protect WLANs from known vulnerabilities and threats.
    > Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.
    >
    > To get your FREE white paper visit us at:
    > http://www.securityfocus.com/AirDefense-incidents
    > ----------------------------------------------------------------------------
    >

    ----------------------------------------------------------------------------
    *** Wireless LAN Policies for Security & Management - NEW White Paper ***
    Just like wired networks, wireless LANs require network security policies
    that are enforced to protect WLANs from known vulnerabilities and threats.
    Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

    To get your FREE white paper visit us at:
    http://www.securityfocus.com/AirDefense-incidents
    ----------------------------------------------------------------------------


  • Next message: Whiteside, Larry [contractor]: "RE: Possible Intrusion Attempt?"

    Relevant Pages

    • RE: [ANNOUNCE] protocol watcher
      ... wireless LANs require network security policies ... that are enforced to protect WLANs from known vulnerabilities and threats. ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • RE: Possible Intrusion Attempt?
      ... wireless LANs require network security policies ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • RE: Cain a& Abel Question
      ... wireless LANs require network security policies ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Pen-Test)
    • Re: Scans from proxyprotector.com
      ... wireless LANs require network security policies ... implement and enforce WLAN security policies to lockdown enterprise WLANs. ...
      (Incidents)
    • RE: A question for the list...
      ... >> evolution of the network ... implement and enforce WLAN security policies ... >> enterprise WLANs. ... implement and enforce WLAN security policies to ...
      (Incidents)