Security Incidents mailing list archives
DDoSed
From: thalakan () TECHNOLOGIST COM (Jason Spence)
Date: Wed, 19 Jul 2000 01:26:44 -0700
Hi all - I'm a security consultant with Fry's Electronics, a major electronics chain on the west coast. The DNS entry for our web site, www.frys.com, went up a few weeks ago, and we had our first attack tonight. At about 4:00 PM, a flurry of what looks like ACK packets (still analyzing the sniffer logs) started hitting our web server. I didn't realize that we had been attacked, due to a misconfiguration on the emergency notification system on our network flight recorder, until about 8:00 PM, at which time I was investigating reports of an internal host not being able to get outside to the Internet. I was pretty shocked when I saw our core switch and CSU/DSU with solid tx/rx lights. Our upstream provider, AGIS/Telia, said that they were experiencing widespread failure on most of their routers within their AS, and I'm still not sure whether that problem is related to our attack. The source addresses didn't appear to be spoofed, and were all within the same 4 subnets in the 64.0.0.0 network. It appears that the attacker scanned for vunerable hosts within those four subnets, and then used those as a launch platform for the attack against us. The strange thing is that the packets were all the same, and the destination port sequence was the same (five sequential ports starting from a random base port, then again from another random base port) be coordinated, but the source hosts were different platforms (NT and UNIX). There was also some weak evidence that the attacks were coordinated. I've already contacted all the other ISPs and had them call the same FBI office so we're all dealing with the same FBI agent. Does anyone know of a cross-platform DDoS tool that would give results like this? Things I learned: The FBI regional field office in our area may not be the office that the Computer Crimes unit is in. Get their number for your emergency procedures binder. Make sure that you have at least one host on each of your networks that is accessible without the LAN interface up, such as with a modem. If you can, wire it up so that it can page you through that modem. That's the mistake I made when configuring our network management workstation. Ethereal can import a 150MB sniffer dump a lot faster on a Ultra/5 than on a PIII/600. I'm buying a dedicated traffic analysis workstation. It will probably help a lot if your provider has a DDoS policy and will automatically filter out suspicious levels of traffic from a single host (or a group of hosts). It still doesn't protect you against spoofed addresses, but it would have saved us in this case. I think that posting to the Incidents mailing list and your local sysadmin user group's mailing list should be a part of your post break-in procedures. I'm sure other people are getting nailed by the same people that hit us, and I don't see any trace of it on Incidents, LISA, or any other mailing lists I subscribe to. I really wish I knew other people made an effort to make these things known so I don't have to think we're the only people getting hit. - Jason PS: I'm going to milk all the educational value out of this attack as I can; I'm owed that much for dealing with this mess. Look forward to my analysis of the sniffer logs. Our web site isn't even up yet, and we get attacked :P They told me when I took this assignment that people have issues with Fry's return policy, but I had no idea how hard they took it :)
Current thread:
- DDoSed Jason Spence (Jul 19)
- Re: DDoSed Fredrik Ostergren (Jul 26)