Security Incidents mailing list archives
Re: Packet from port 80 with spoofed microsoft.com ip
From: "zmajd fully" <istoleyourmonkeys () hairdresser net>
Date: Mon, 03 Feb 2003 18:27:59 -0500
Hi Hulio, Thanks for your response and help both on and off list. I have been able to link the DDoS packet to MSDN. Apprantly it is back scatter from some sort of p2p worm/hydra. Back scatter happens when kiddiez on the mIRC want 2 take over channels and they send the packets with the spoofed IP using some toolz like on www.rootshell.com or underground.org. At the moment the DDoS only affects windows/MSDN on intel, the solaris MSDN/sql server isn't affected, but apprantly a port is in the workz by some guys from #sage-au (./hack chanl) on oz.org. I got some packets in the IDS for the sparcs here last night, but SUN says they won't have a patch yet till they fix some bugs. I belive you can detect the attack with tcpdump or snoop, but u have 2 be carefull cos the tpm/sage-au guys have a thing 2 make it crash and open other ports which could futher open u 2 DDoS attacks of this nature. Thanks Again. Alvin. Senior Network/Security Engineer. :: D i V E R S E - I N T E R N E T :: "Diverse - The future is now" Hulio Cortez ruxed some lyrix like:
Hello there Alvin, DO you know if these packets will affect other operating systems than Microsof
t
? Is this only if MSDN is installed? If the DDOS network is being constructed in this fashion then there could be p
r
oblems with lots of non patched other systems and also Microsoft. It is very subtle and hard to detect without closely monitoring your intrusion logs. THank you for talking to your friend in NIPC as he must be very busy at this t
i
me!!! I am sure other readers appreciate this too. Hulio Cortez CCNA
-- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Packet from port 80 with spoofed microsoft.com ip Pat Wilson (Feb 02)
- <Possible follow-ups>
- Re: Packet from port 80 with spoofed microsoft.com ip Hulio Cortez (Feb 02)
- Re: Packet from port 80 with spoofed microsoft.com ip zmajd fully (Feb 04)