Security Incidents mailing list archives
wake up & smell the DDoS
From: azimuth <lozah () io com>
Date: Wed, 13 Sep 2000 00:14:40 CDT
Howdy everyone, I have a few questions for the list. The attached alerts from snort suggest outgoing activity from the Shaft DDoS tool -- actually directed to IP 0.0.0.0. A little odd. Perhaps someone's testing their tool before they put it to good hard use? The activity also triggered the "misc-traceroute TCP" alert. It's curious that two different hosts are choosing the same source/dest port pair for communication with a third host, yet the pair is different for each "round" of traffic. Can someone ascribe this behavior to ... anything? After seeing these alerts, the admin for the network in question is not overly concerned about what's happening (please, .edu flames > /dev/null). The activity only lasted 5 minutes on two different occasions (both Saturdays), so I can see why he's not making this a priority. Myself, I've learned if I get any warning before the real problems start, I've been lucky :-) Does anyone have any tips on waking up an admin about questionable activity on their network? This is a coworker, not a faceless admin on another continent. The box that logged this traffic (x.x.x.237) plays a remote role with the systems I manage, but is physically present on the other admin's network and not wholly under my supervision. Checking this host for signs of intrusion hasn't turned up anything, but I haven't been able to look at it while this activity is occurring, nor do I have physical access to conduct an offline analysis. I've also scanned [after the fact] the hosts in question for the default Shaft handler & agent ports, which didn't turn up anything. Not too surprising if the tool has been modified. If someone can offer insight / advice (especially wrt the unconcerned admin), I'm much obliged. Politics suck. thanks, az
Attachment:
ddos
Description:
Current thread:
- wake up & smell the DDoS azimuth (Sep 13)
- <Possible follow-ups>
- Re: wake up & smell the DDoS Johnson, Greg (Sep 15)