Security Incidents mailing list archives

DDoS to microsoft sites

From: "Mike Lewinski" <mike () rockynet com>
Date: Tue, 29 Jan 2002 16:23:51 -0700

We've observed two disparate clients apparently rooted (both are Win2K I
believe), being used to packet flood a variety of Microsoft sites (msn.com,
hotmail.com and microsoft.com itself).

Just a few seconds of IP accounting showed:

Destination              Packets               Bytes
 64.4.32.251                  14201            20940508
 207.68.171.254               11862            17764328
 64.4.32.1                    12142            18184104
 207.46.197.102               59698            89401960

These clients are on very different CIDR blocks (from the first octet). We
don't have any further information at this time, other than one client
saturated their T1 and the other saturated a 10Mb/s connection.

I haven't observed any noticeable impacts to the microsoft sites being
attacked. We have been able to track back the activity on MRTG graphs to
last Thurs for both clients. We investigated the traffic volume the first
day it appeared and at that time saw what appeared to be an attack against
two hosts in .fr and one in .de. The client assured us at this time it was
legitimate traffic.

A port scan of one of the infected hosts shows:

     7  Echo
     9  Discard
    13  Daytime
    17  Quote of the Day
    19  Character Generator
    21  File Transfer Protocol [Control]
    25  Simple Mail Transfer
    80  World Wide Web HTTP
   135  DCE endpoint resolution
   139  NETBIOS Session Service
   443  https  MCom
   445  Microsoft-DS
   548  AFP over TCP
  1025  network blackjack
  1026
  1027  ICQ?
  1433  Microsoft-SQL-Server
  5631  pcANYWHEREdata

The client claims that they are not running Appletalk (548) but I'm not sure
whether to believe. We haven't been able to get console access to that
machine to do any further investigation (but have blocked it upstream). Of
the above services, most look legit from what I can tell with the exception
of 548 and 1025-1027

Mike




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DDoS to microsoft sites Mike Lewinski (Jan 29)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)
  - Re: DDoS to microsoft sites Mike Lewinski (Jan 30)
- Re: DDoS to microsoft sites Hugo van der Kooij (Jan 30)
- <Possible follow-ups>
- RE: DDoS to microsoft sites John Campbell (Jan 30)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
  - RE: DDoS to microsoft sites H C (Jan 30)
  - RE: DDoS to microsoft sites Jason Robertson (Jan 31)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
  - RE: DDoS to microsoft sites Dave Ockwell-Jenner (Jan 30)
- Re: Re: DDoS to microsoft sites Mike Lewinski (Jan 31)