Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Smurf Broadcast DoS attack

From: Avleen Vig <incidenthandling () ivision co uk>
Date: Fri, 24 Aug 2001 15:46:06 +0100
Please have a look at:
    http://www.ircnetops.org/smurf
It's the home page of the SAFE project which I run. Can you see if any
of the IP addresses that attacked you are in the database?
If they are I will jump on the admins. They've been told at least twice
that most of them are running open amplifiers.


Thanks,
Avleen Vig

On Thu, Aug 23, 2001 at 12:35:14PM +0200, X wrote:


Hello,

Yesterday, one of the servers I admin. was attacked by a broadcast massive
ICMP's. The typical 'smurf' attack. 

I am working on discover who did it:

During the attack, I loaded tcpdump and redirected its output to a
logfile to study and analyze it later. 

Once I had the log at my hands, I took perl interpreter and wrote several
scripts to search some evidence, like ICMPs made from the attacker to test
the ping response or with other words, to know the sharpness of his/her
attack.

All the IP's that sent the ICMP packets, were not alone, I mean that they
were in a serie of IP's, that is: B, C internet network classes -->
broadcasts. All of them were from other countries. I continued looking for
some evidence.

I found a clue when I saw some ICMP echo's to the victim's IP coming from
a national ISP. That is a subscriber IP from that ISP, perhaps the
attacker.

I think that way because if I was the attacker, I would make some ping
to the victim to see if he is knocked out. Perhaps the attacker didn't
think that I was logging, or that I would be unable to find his IP.

I have to tell you that the attacked server has not any service, it is not
known by anyone. I use it to develop and test software. It is an old
SGI Indigo 2. So it has not any traffic to/from outside my network. That
brings me to suspect that this national-ISP IP was the attacker.

I attach to this mail the list of IP's, some of them resolved, that sent
the broad ICMPs. 
I contacted my frame-relay provider and sent them the details of the
attack.
I also contacted the suspect ISP and told them that IP and the hour it
happened.

This mail could open a discussion about the Internet insecurity, how to
avoid this attacks, possible solutions, possible ways to analyze the
results. 

Nothing more,

luck!


-- 

Xavi Torres <admin () area66 com>
Administración de sistemas
Krypton Networks S.L.
http://www.kryptonetworks.com/
http://www.area66.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




-- 
--

Avleen Vig, Systems Administrator                
Email: avleen () ivision co uk               Mobile: (07974) 100 573

Internet Vision                                Tel: 020 7589 4500
60 Albert Court                                Fax: 020 7589 4522
Prince Consort Road                            info () ivision co uk
London. SW7 2BE                         http://www.ivision.co.uk/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: