Re: Info on the DoS attacks.

[Joe Shaw <jshaw () insync net>]

On Wed, 9 Feb 2000, Rodney Caston wrote:

> I spoke with a person that claimed to understand the attacks that are
> going on, while I have no proof, I offer this as an example of what to
> look for on your own systems. So I am presenting this only as a possible
> example of what has taken place, and until proven correct I concede this
> is only a "rumor."

Do a search of the Bugtraq archives for trinoo, tribe, etc, or take at
look at Dave Dittrich's page at http://www.washington.edu/People/dad/.  He  
posted detailed breakdowns of the discovered DDoS daemons in December for
the CERT workshop on DDoS's from last year.

Verbose information on these attacks has been available since
November/December of 1999.

> Basically it began by combining many scripts already in use for scanning
> system security holes, the script initially scans a range of IPs scanning
> each target system for various known exploits, once a system is

> One final note, a friend from Verio suggested that in the above scenario
> that this daemon would probaly be using TCP to be communicated with as UDP
> is more difficult for alot of people to code.

Some are using ICMP, and UDP is not that hard to code, especially if the
programs are just combinations of scripts that have already been written.

> Rodney L. Caston
> Southwestern Bell 
> Internet Services

On a totally unrelated note, you guys really should start participating in
the local peering points.  Your connectivity in large metro areas like
Houston, TX would greatly benefit from it.  MAGIE and Compaq/Insync NAP
connections would make a lot of SBC DSL users very happy, since a lot of
their traffic is local content.

--
Joseph W. Shaw - jshaw () insync net
Computer Security Consultant and Programmer
Free UNIX advocate - "I hack, therefore I am."