Security Incidents mailing list archives
possible side effects from wide spread DOS attacks??
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Sun, 19 Mar 2000 11:19:03 +1300
Hi, Starting on Thursday 16th at around 1900 (UTC) and continuing now we have seen traffic like that logged below coming from a at least 20 different sites. The traffic has been logged by argus which is not to precise at logging tcp traffic that is not part of a 'properly set up' tcp stream. I think that this log represents a stream of incoming FIN packets (our network is 130.216/16) although argus is logging them as FIN+RST the packet count only shows one packet in most cases. Most of the addressess are either unused or turned off. When I get in to work tomorrow I will rig an alarm to detect an incident in progress and get a tcpdump trace of the packets. Traffic seems to last for an hour or two (in a few cases three or four) for any particular site. Anyway I am speculating that this is the fallout from a DOS lauched against the site whose address appears here as source. The 'Hacktivist tool' perhaps? Cheers, Russell. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand. PS. Argus actually records tcp states not actual flags received hence packets that appear in streams that do not follow the tcp state machine end up being logged in unexpected ways. Argus logs (times UTC +1300): 18 Mar 00 13:14:23 tcp 194.47.104.254.6199 ?> 130.216.212.65.14431 1 0 0 0 FR 18 Mar 00 13:14:29 tcp 194.47.104.254.56217 ?> 130.216.57.109.6664 1 0 0 0 FR 18 Mar 00 13:15:55 tcp 194.47.104.254.16832 ?> 130.216.168.116.28240 1 0 0 0 FR 18 Mar 00 13:21:17 tcp 194.47.104.254.27926 ?> 130.216.71.77.20560 1 0 0 0 FR 18 Mar 00 13:21:24 tcp 194.47.104.254.15435 ?> 130.216.143.27.49111 1 0 0 0 FR 18 Mar 00 13:21:59 tcp 194.47.104.254.30851 ?> 130.216.75.88.36091 1 0 0 0 FR 18 Mar 00 13:22:11 tcp 194.47.104.254.53698 ?> 130.216.133.6.9835 1 0 0 0 FR 18 Mar 00 13:22:11 tcp 194.47.104.254.48530 ?> 130.216.170.81.3185 1 0 0 0 FR 18 Mar 00 13:22:22 tcp 194.47.104.254.37934 ?> 130.216.20.41.14382 1 0 0 0 FR 18 Mar 00 13:22:36 tcp 194.47.104.254.14433 ?> 130.216.47.9.2973 1 0 0 0 FR 18 Mar 00 13:23:12 tcp 194.47.104.254.4280 ?> 130.216.55.95.53614 1 0 0 0 FR 18 Mar 00 13:23:18 tcp 194.47.104.254.13895 ?> 130.216.66.115.37582 1 0 0 0 FR 18 Mar 00 13:23:54 tcp 194.47.104.254.36195 ?> 130.216.121.119.59460 1 0 0 0 FR 18 Mar 00 13:25:22 tcp 194.47.104.254.14280 ?> 130.216.147.102.62307 1 0 0 0 FR
Current thread:
- Re: TCP port 3218 Warren Belfer (Mar 14)
- Re: TCP port 3218 Boris Badenov (Mar 14)
- Port 1243 Omachonu Ogali (Mar 16)
- Re: Port 1243 laLune (Mar 16)
- Re: Port 1243 Robert Graham (Mar 17)
- possible side effects from wide spread DOS attacks?? Russell Fulton (Mar 18)
- Re: possible side effects from wide spread DOS attacks?? Russell Fulton (Mar 20)