Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet from port 80 with spoofed microsoft.com ip

From: "zmajd fully" <istoleyourmonkeys () hairdresser net>
Date: Mon, 03 Feb 2003 18:27:59 -0500
Hi Hulio,
Thanks for your response and help both on and off list. I have been able
to link the DDoS packet to MSDN. Apprantly it is back scatter from some
sort of p2p worm/hydra. Back scatter happens when kiddiez on the mIRC want
2 take over channels and they send the packets with the spoofed IP using some
toolz like on www.rootshell.com or underground.org.

At the moment the DDoS only affects windows/MSDN on intel, the solaris MSDN/sql
server isn't affected, but apprantly a port is in the workz by some guys
from #sage-au (./hack chanl) on oz.org. I got some packets in the IDS for
the sparcs here last night, but SUN says they won't have a patch yet till
they fix some bugs.

I belive you can detect the attack with tcpdump or snoop, but u have
2 be carefull cos the tpm/sage-au guys have a thing 2 make it crash and
open other ports which could futher open u 2 DDoS attacks of this nature.

Thanks Again.

Alvin.
Senior Network/Security Engineer.
:: D i V E R S E - I N T E R N E T ::
   "Diverse - The future is now"

Hulio Cortez ruxed some lyrix like:


Hello there Alvin,
DO you know if these packets will affect other operating systems than Microsof

t

? Is this only
if MSDN is installed?
If the DDOS network is being constructed in this fashion then there could be p

r

oblems with lots
of non patched other systems and also Microsoft. It is very subtle and hard to
detect
without closely monitoring your intrusion logs.
THank you for talking to your friend in NIPC as he must be very busy at this t

i

me!!! I am sure
other readers appreciate this too.

Hulio Cortez
CCNA


-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: