Security Incidents mailing list archives

Re: could be slice?

From: Ryan Sweat <h3xm3 () SWBELL NET>
Date: Sat, 16 Dec 2000 19:13:30 -0600

     There are many tools that can send this kind of attack.  Most ddos
tools include this, although distributed dos is not required to render a box
useless.  A piece of code written a while back, stream.c,  is still very
effective.  In effect it sends spoofed tcp connects to random ports.
Routers are vulnerable too.  This is not a bandwith attack, it is most
likely that traffic to the rest of the network will be functional.

Here is a link to stream.c
ftp://ftp.technotronic.com/denial/stream-DoS.txt

ryan

----- Original Message -----
From: "Guilherme Mesquita" <guy () LINUXBR COM BR>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, December 16, 2000 5:00 PM
Subject: Re: could be slice?

Unfortunately you'll only be able to avoid this kind of attack using a
powerful filter in your gateway but you must be careful: this need to be

if

possible, in your backbone. You won't be able to protect yourself from

your

own box. But you can also check the option for TCP_SYN_COOKIES in your
kernel. This might help with excessive memory usage with TCP connections
(this is one of the effects those DoS SYN/ACK tools cause)

Well I think that's it. IPCHAINS isn't enough for this...

On Mon, 11 Dec 2000, Andrita Constantin wrote:

Date: Mon, 11 Dec 2000 11:52:19 +0200
To: INCIDENTS () SECURITYFOCUS COM
From: Andrita Constantin <aconstantin () EXPERT RO>
Reply-To: Andrita Constantin <aconstantin () EXPERT RO>
Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
Subject: could be slice?

Hello

For two weeks now I'm facing a problem with floods almost on a daily
basis.

I get 3000 and more TCP SYN connections from random hosts. I've been
told that this might be generated by a tool called slice.

Can somebody point me in the right direction to find out how can I trace
the flooder?

Or can I do something to prevent/stop these attacks?

Regards

Andrita Constantin
------------------------------------------------
Is it progress if a cannibal uses a knife and fork?

--
.--------------------.
| Guilherme Mesquita |
| guy () linuxbr com br |
| UIN # 5864338      |
`--------------------'

Current thread:

could be slice? Andrita Constantin (Dec 12)
- Re: could be slice? Guilherme Mesquita (Dec 17)
  - Re: could be slice? Ryan Sweat (Dec 17)
    - Strange Scan TJ Jablonowski (Dec 18)
    - Re: Strange Scan Glenn Williamson (Dec 18)
    - Re: Strange Scan geoff (Dec 18)