wake up & smell the DDoS

[azimuth <lozah () io com>]

Howdy everyone,

I have a few questions for the list.  The attached alerts from snort
suggest outgoing activity from the Shaft DDoS tool -- actually directed
to IP 0.0.0.0.  A little odd.  Perhaps someone's testing their tool
before they put it to good hard use?  The activity also triggered the
"misc-traceroute TCP" alert.  It's curious that two different hosts are
choosing the same source/dest port pair for communication with a third
host, yet the pair is different for each "round" of traffic.  Can someone
ascribe this behavior to ... anything?

After seeing these alerts, the admin for the network in question is not
overly concerned about what's happening (please, .edu flames >
/dev/null).  The activity only lasted 5 minutes on two different
occasions (both Saturdays), so I can see why he's not making this a
priority.  Myself, I've learned if I get any warning before the real
problems start, I've been lucky :-)   Does anyone have any tips on waking
up an admin about questionable activity on their network?  This is a
coworker, not a faceless admin on another continent.

The box that logged this traffic (x.x.x.237) plays a remote role with the
systems I manage, but is physically present on the other admin's network
and not wholly under my supervision.  Checking this host for signs of
intrusion hasn't turned up anything, but I haven't been able to look at
it while this activity is occurring, nor do I have physical access to
conduct an offline analysis.  I've also scanned [after the fact] the
hosts in question for the default Shaft handler & agent ports, which
didn't turn up anything.  Not too surprising if the tool has been
modified.

If someone can offer insight / advice (especially wrt the unconcerned
admin), I'm much obliged.  Politics suck.

thanks,
az

Attachment: ddos
Description: