Security Incidents mailing list archives

Re: Ping flood? Whats the point?

From: genex69 () HOTMAIL COM (Andy David)
Date: Thu, 3 Feb 2000 20:00:33 CST


I have also experienced this sort of attack.  I figured it to be a modified
version of stream.c.  The only way I was able to make anysense of the flood
was that my firewall saved some packets....well alot in this case.  The ip's
of course were spoofed, but the only way I was really able to tell was after
decoding some of the packets my firewall captured (from different ip's) I
found that the senders MAC address was identical throughout the entire
attack.

From: Don <Don () TECHISG ORG>
Reply-To: Don <Don () TECHISG ORG>
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Ping flood? Whats the point?
Date: Wed, 2 Feb 2000 19:37:45 +0100
MIME-Version: 1.0
Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
MHotMailBA6354E10082D82197A8CF7E7F44F4390; Thu Feb 03 15:06:10 2000
Received: from lists.securityfocus.com (lists.securityfocus.com
[207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
3C7FD335E7; Thu,  3 Feb 2000 13:49:23 -0800 (PST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
(LISTSERV-TCP/IP release 1.8d) with spool id 3571313 for
INCIDENTS () LISTS SECURITYFOCUS COM; Thu, 3 Feb 2000 13:49:17 -0800
Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by
      lists.securityfocus.com (Postfix) with SMTP id 76BF3233B9 for
  <incidents () lists securityfocus com>; Wed,  2 Feb 2000 11:05:28 -0800
     (PST)
Received: (qmail 11293 invoked by alias); 2 Feb 2000 19:05:28 -0000
Received: (qmail 11290 invoked from network); 2 Feb 2000 19:05:28 -0000
Received: from rhea.worldonline.nl (195.241.48.139) by securityfocus.com
with          SMTP; 2 Feb 2000 19:05:28 -0000
Received: from TechISG.org (vp205-158.worldonline.nl [195.241.205.158]) by
        rhea.worldonline.nl (Postfix) with ESMTP id 235B936B10; Wed,  2
Feb          2000 20:05:22 +0100 (MET)
From owner-incidents () SECURITYFOCUS COM Thu Feb 03 15:07:24 2000
Approved-By: aleph1 () SECURITYFOCUS COM
Delivered-To: incidents () lists securityfocus com
Delivered-To: INCIDENTS () SECURITYFOCUS COM
X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.2.14 i586)
X-Accept-Language: nl, en
Message-ID:  <38987979.D02113EA () TechISG org>
Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
Organization: TechISG
X-To:         INCIDENTS () SECURITYFOCUS COM, billp () rocketcash com

Well, I experienced the same problem myself once. Since the number of
IP's is too large, it can't be possible for the flooder too "own" them
all.
My conclusion was that it are spoofed IP's comming from one or several
hosts. Because all IP's are random and spoofed it will not be possible
to trace them.
It's most likely the flooder is trying to flood you down so that it's
impossible for the target host to do anything.

I have seen several programms capable of doing this, one of them is
"trinnoo flood network" or something like this. It opperates by running
client software on computers which can be triggered by a server and then
the flooding begins.

As far as I know there's nothing you can do to trace the flooder...
(could it be possible to trace via ARP stuff?)

--

_________________________
|Don                    |
|Don () TechISG org        |
|TechISG Organization   |
|http://www.TechISG.org |
-------------------------

Bill Pennington wrote:


A few moments ago my firewall logs started filling up with messages
below. Basiclly ICMP Echos for all over the place. I have not had a lot
of time to research but it seems like a fairly random IP address
distribution and the few that I looked up seemed to originate from .kr
and .ar
should I assume that all these boxes have been comprimised? Should I
attempt to contact all the owners? What is the attacker trying to
accomplish? Below is a small portion of the log file.
*snip*
--

Bill Pennington
IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

Ping flood? Whats the point? Bill Pennington (Feb 01)
- Re: Ping flood? Whats the point? Ryan Sweat (Feb 02)
- <Possible follow-ups>
- Re: Ping flood? Whats the point? Don (Feb 02)
  - tracing spoofing (Was Re: Ping flood? Whats the point?) Dragos Ruiu (Feb 03)
- Re: Ping flood? Whats the point? Andy David (Feb 03)
  - Re: Ping flood? Whats the point? Bill Pennington (Feb 05)
  - Re: Ping flood? Whats the point? Russell Fulton (Feb 06)
- Re: Ping flood? Whats the point? Chuck Phillips (Feb 05)
  - Re: Ping flood? Whats the point? Kerry Baker (Feb 07)
    - Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 08)
    - Re: Ping flood? Whats the point? Kerry Baker (Feb 08)
    - Re: Ping flood? Whats the point? Russell Fulton (Feb 09)
    - Re: Ping flood? Whats the point? Thomas Vincent (Feb 09)
    - Re: Ping flood? Whats the point? Filip M. Gieszczykiewicz (Feb 09)