Security Incidents mailing list archives
Re: wake up & smell the DDoS
From: "Johnson, Greg" <JohnsonG () MISSOURI EDU>
Date: Fri, 15 Sep 2000 18:09:58 -0500
"Azimuth" observed:
The attached alerts from snort suggest outgoing activity from the Shaft DDoS tool ... Checking this host for signs of intrusion hasn't turned up anything...
This week I saw activity like this from several IP addresses in the same two subnets. Indeed the outsider whose portsentry reported the problems listed IP addresses of several place-holders: systems which are not now connected nor have ever been officially connected. Sounds like source forging + probably a sniffer in the same subnets. We've got egress source sanity-filtering on our internet connections. Getting this worked down to the lower levels will take time. Mmm, switches. In the meantime we're sniffing and tweaking routers. Encourage the other admin to sniff/snort--or be ready to--the affected subnet. See: http://www.nwfusion.com/research/2000/0828feat2.html It's a safe bet that source forging exploitations will get bigger and bigger. Prepare now and look like a hero later, or... get caught unprepared. -- Greg Johnson - 573-882-5008 Computing and Network Security Office University of Missouri, Columbia MO 65211
Current thread:
- wake up & smell the DDoS azimuth (Sep 13)
- <Possible follow-ups>
- Re: wake up & smell the DDoS Johnson, Greg (Sep 15)