Security Incidents mailing list archives

possible side effects from wide spread DOS attacks??

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Sun, 19 Mar 2000 11:19:03 +1300


Hi,
   Starting on Thursday 16th at around 1900 (UTC) and continuing now we
have seen traffic like that logged below coming from a at least  20
different sites.  The traffic has been logged by argus which is not to
precise at logging tcp traffic that is not part of a 'properly set up'
tcp stream.  I think that this log represents a stream of incoming FIN
packets (our network is 130.216/16) although argus is logging them as
FIN+RST the packet count only shows one packet in most cases.  Most of
the addressess are either unused or turned off.  When I get in to work
tomorrow I will rig an alarm to detect an incident in progress and get
a tcpdump trace of the packets.

Traffic seems to last for an hour or two (in a few cases three or four)
for any particular site.

Anyway I am speculating that this is the fallout from a DOS lauched
against the site whose address appears here as source. The 'Hacktivist
tool' perhaps?

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand.

PS. Argus actually records tcp states not actual flags received hence
packets that appear in streams that do not follow the tcp state machine
end up being logged in unexpected ways.

Argus logs (times UTC +1300):

18 Mar 00 13:14:23      tcp  194.47.104.254.6199   ?>  130.216.212.65.14431 1      0       0         0        FR
18 Mar 00 13:14:29      tcp  194.47.104.254.56217  ?>  130.216.57.109.6664  1      0       0         0        FR
18 Mar 00 13:15:55      tcp  194.47.104.254.16832  ?> 130.216.168.116.28240 1      0       0         0        FR
18 Mar 00 13:21:17      tcp  194.47.104.254.27926  ?>   130.216.71.77.20560 1      0       0         0        FR
18 Mar 00 13:21:24      tcp  194.47.104.254.15435  ?>  130.216.143.27.49111 1      0       0         0        FR
18 Mar 00 13:21:59      tcp  194.47.104.254.30851  ?>   130.216.75.88.36091 1      0       0         0        FR
18 Mar 00 13:22:11      tcp  194.47.104.254.53698  ?>   130.216.133.6.9835  1      0       0         0        FR
18 Mar 00 13:22:11      tcp  194.47.104.254.48530  ?>  130.216.170.81.3185  1      0       0         0        FR
18 Mar 00 13:22:22      tcp  194.47.104.254.37934  ?>   130.216.20.41.14382 1      0       0         0        FR
18 Mar 00 13:22:36      tcp  194.47.104.254.14433  ?>    130.216.47.9.2973  1      0       0         0        FR
18 Mar 00 13:23:12      tcp  194.47.104.254.4280   ?>   130.216.55.95.53614 1      0       0         0        FR
18 Mar 00 13:23:18      tcp  194.47.104.254.13895  ?>  130.216.66.115.37582 1      0       0         0        FR
18 Mar 00 13:23:54      tcp  194.47.104.254.36195  ?> 130.216.121.119.59460 1      0       0         0        FR
18 Mar 00 13:25:22      tcp  194.47.104.254.14280  ?> 130.216.147.102.62307 1      0       0         0        FR

Current thread:

Re: TCP port 3218 Warren Belfer (Mar 14)
- Re: TCP port 3218 Boris Badenov (Mar 14)
- Port 1243 Omachonu Ogali (Mar 16)
  - Re: Port 1243 laLune (Mar 16)
  - Re: Port 1243 Robert Graham (Mar 17)
  - possible side effects from wide spread DOS attacks?? Russell Fulton (Mar 18)
    - Re: possible side effects from wide spread DOS attacks?? Russell Fulton (Mar 20)