Security Incidents mailing list archives

Re: DDoS attack.

From: Glenn Forbes Fleming Larratt <glratt () rice edu>
Date: Fri, 25 Jan 2002 13:04:49 -0600 (CST)

A "tcpdump -ner" will show you the MAC address or addresses your tcpdump
host sees for this traffic. That address or addresses will either belong
to the source host, or a core router through which it came.

If it's a router, you'll need to trace back to which network on the
other side of it, and iterate as necessary. A portable tcpdump host
would come in handy to do so.

If it's a Cisco router, you might look into deploying the per-interface
command "ip verify unicast reverse-path" (I think - I may have misremembered
the syntax), which automatically prevents spoofing beyond the scope of
the LAN segment. Check this command out at www.cisco.com .

        -g


On Fri, 25 Jan 2002, Daniel F. Chief Security Engineer - wrote:

Date: Fri, 25 Jan 2002 12:23:26 -0600
From: Daniel F. Chief Security Engineer - <danielf () supportteam net>
To: incidents () securityfocus com
Subject: DDoS attack.

Im looking for help tracing this attack down. Its coming from my network with
spoofed IPs to 216.200.108.194 IP which is not on my network so its and
outbound attack. Also none of the source IPs are on my network.

I have blocked the outgoing traffic at the firewalls so it is not leaving my
network.

Here is a short tcpdump if the traffic.
11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S
1667351577:1667351577(0) win 65535
11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S
1116047630:1116047630(0) win 65535
11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S
2101768472:2101768472(0) win 65535
11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S
1399051237:1399051237(0) win 65535
11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S
417777474:417777474(0) win 65535

It got all the signs of a dDoS attack window size is always the same dst
ports are incrementing by one every time. and the source IP is randomized. I
cannot fine the machine(s) that are generating this as I have a very large
interconnected(cluster $#@!) network that inherited which comatins well over
1600 hosts.

TIA



                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Glenn Forbes Fleming Larratt (Jan 25)
  - Re: DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Bugtraq Mailing Lists (Jan 27)
  - Re: DDoS attack. Stanislav N. Vardomskiy (Jan 28)
    - Re: DDoS attack. Patrick Oonk (Jan 28)
  - Re: DDoS attack. Wichert Akkerman (Jan 28)
- <Possible follow-ups>
- Re: DDoS attack. Neil Dickey (Jan 25)
- RE: DDoS attack. Boyan Krosnov (Jan 25)