RE: DoS "Probing" on one of our hosts

From: Cook, Christopher S. (Christopher.Cook_at_honeywell-tsi.com)
Date: 06/30/03

  • Next message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
    To: "'chris@de-punkt.de'" <chris@de-punkt.de>, incidents@securityfocus.com
    Date: Mon, 30 Jun 2003 12:12:26 -0400
    
    

    To me, that pattern sounds a lot more like someone's hacked a server and set up a warez site. Granted, we don't know anything definitive, but if the high volume periods generally happen in the middle of the night, I wouldn't be surprised.

    See if you can put a sniffer on the outbound connection (Sniffer is my commercial favorite) to find the endpoints. There are lots of reasons your IDS isn't raising alarms: the system that was hacked was already an FTP server, or if your IDS isn't
    monitoring common protocols from servers, or the IDS system doesn't see the traffic going to the hacked system, et al.

    Chris Cook
    Honeywell TSI

    These are my opinions, not those of Honeywell.

    -----Original Message-----
    From: Christopher Kunz [mailto:chrislist@de-punkt.de]
    Sent: Monday, June 30, 2003 3:37 AM
    To: incidents@securityfocus.com

    Harlan Carvey wrote:
    > I'm very interested to see what information you can
    > provide on this event, to show that it was, in fact, a
    > DoS attack.

    Uhm, I'm quite positive that 97.8 mBit coming in through our uplink are
    a pretty good indicator for an attack.

    And by "probing" I meant that maybe the attacker only tried to determine
    our maximum bandwidth for a larger-scale attack, since the DoSes stopped
    fairly soon without any outer influence.

    --ck

    -- 
    php development | hosting |  housing | professional game server hosting
    http://www.de-punkt.de   [ chris@de-punkt.de ]    http://www.stormix.de
    +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de
    Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"

    Relevant Pages

    • RE: "false positive" inanity
      ... >Let's say I have an Apache web server (i.e., code red immune, by ... But I would not expect an IDS to have that behavior ... the signatures will ONLY trigger if the attack is relevant. ...
      (Focus-IDS)
    • Re: DoS "Probing" on one of our hosts
      ... > Depends on the nature of the attack, from what I have seen this is not ... Ive seen this type agaist IRC servers quite often. ... Yeah, that is pretty usual - you want a server, specifically a node ... world's premier technical IT security event! ...
      (Incidents)
    • RE: Views and Correlation in Intrusion Detection
      ... >>server if my IMAP server isn't vulnerable to that attack. ... and the passive ones don't really tell you much about vulnerability ... world's premier technical IT security event! ...
      (Focus-IDS)
    • Re: Apache FreeBSD exploit released
      ... A network IDS capable of detecting the attack will show you where it comes ... using this encoding scheme in HTTP request send _to_ the server, ...
      (FreeBSD-Security)
    • Re: likely database privilege problem
      ... IDS server team should be able to give you more help on ... I tried setting up an IDS 11.7 server to simulate the problem. ... R&D - IBM Information Management Division ... This .NET provider uses DRDA protocol to connect to IDS database. ...
      (comp.databases.informix)