Security Incidents mailing list archives
Re: Ping flood? Whats the point?
From: genex69 () HOTMAIL COM (Andy David)
Date: Thu, 3 Feb 2000 20:00:33 CST
I have also experienced this sort of attack. I figured it to be a modified version of stream.c. The only way I was able to make anysense of the flood was that my firewall saved some packets....well alot in this case. The ip's of course were spoofed, but the only way I was really able to tell was after decoding some of the packets my firewall captured (from different ip's) I found that the senders MAC address was identical throughout the entire attack.
From: Don <Don () TECHISG ORG> Reply-To: Don <Don () TECHISG ORG> To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Ping flood? Whats the point? Date: Wed, 2 Feb 2000 19:37:45 +0100 MIME-Version: 1.0 Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id MHotMailBA6354E10082D82197A8CF7E7F44F4390; Thu Feb 03 15:06:10 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid 3C7FD335E7; Thu, 3 Feb 2000 13:49:23 -0800 (PST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 3571313 for INCIDENTS () LISTS SECURITYFOCUS COM; Thu, 3 Feb 2000 13:49:17 -0800 Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by lists.securityfocus.com (Postfix) with SMTP id 76BF3233B9 for <incidents () lists securityfocus com>; Wed, 2 Feb 2000 11:05:28 -0800 (PST) Received: (qmail 11293 invoked by alias); 2 Feb 2000 19:05:28 -0000 Received: (qmail 11290 invoked from network); 2 Feb 2000 19:05:28 -0000 Received: from rhea.worldonline.nl (195.241.48.139) by securityfocus.com with SMTP; 2 Feb 2000 19:05:28 -0000 Received: from TechISG.org (vp205-158.worldonline.nl [195.241.205.158]) by rhea.worldonline.nl (Postfix) with ESMTP id 235B936B10; Wed, 2 Feb 2000 20:05:22 +0100 (MET) From owner-incidents () SECURITYFOCUS COM Thu Feb 03 15:07:24 2000 Approved-By: aleph1 () SECURITYFOCUS COM Delivered-To: incidents () lists securityfocus com Delivered-To: INCIDENTS () SECURITYFOCUS COM X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.2.14 i586) X-Accept-Language: nl, en Message-ID: <38987979.D02113EA () TechISG org> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> Organization: TechISG X-To: INCIDENTS () SECURITYFOCUS COM, billp () rocketcash com Well, I experienced the same problem myself once. Since the number of IP's is too large, it can't be possible for the flooder too "own" them all. My conclusion was that it are spoofed IP's comming from one or several hosts. Because all IP's are random and spoofed it will not be possible to trace them. It's most likely the flooder is trying to flood you down so that it's impossible for the target host to do anything. I have seen several programms capable of doing this, one of them is "trinnoo flood network" or something like this. It opperates by running client software on computers which can be triggered by a server and then the flooding begins. As far as I know there's nothing you can do to trace the flooder... (could it be possible to trace via ARP stuff?) -- _________________________ |Don | |Don () TechISG org | |TechISG Organization | |http://www.TechISG.org | ------------------------- Bill Pennington wrote:A few moments ago my firewall logs started filling up with messages below. Basiclly ICMP Echos for all over the place. I have not had a lot of time to research but it seems like a fairly random IP address distribution and the few that I looked up seemed to originate from .kr and .ar should I assume that all these boxes have been comprimised? Should I attempt to contact all the owners? What is the attacker trying to accomplish? Below is a small portion of the log file. *snip* -- Bill Pennington IT Manager Rocketcash billp () rocketcash com http://www.rocketcash.com
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Ping flood? Whats the point? Bill Pennington (Feb 01)
- Re: Ping flood? Whats the point? Ryan Sweat (Feb 02)
- <Possible follow-ups>
- Re: Ping flood? Whats the point? Don (Feb 02)
- tracing spoofing (Was Re: Ping flood? Whats the point?) Dragos Ruiu (Feb 03)
- Re: Ping flood? Whats the point? Andy David (Feb 03)
- Re: Ping flood? Whats the point? Bill Pennington (Feb 05)
- Re: Ping flood? Whats the point? Russell Fulton (Feb 06)
- Re: Ping flood? Whats the point? Chuck Phillips (Feb 05)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 07)
- Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 08)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 08)
- Re: Ping flood? Whats the point? Russell Fulton (Feb 09)
- Re: Ping flood? Whats the point? Thomas Vincent (Feb 09)
- Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 09)
- Re: Ping flood? Whats the point? Kerry Baker (Feb 07)