Security Incidents mailing list archives
Re: possible side effects from wide spread DOS attacks??
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Tue, 21 Mar 2000 10:08:21 +1200
On Sun, 19 Mar 2000 11:19:03 +1300 Russell Fulton <r.fulton () auckland ac nz> wrote:
Hi, Starting on Thursday 16th at around 1900 (UTC) and continuing now we have seen traffic like that logged below coming from a at least 20 different sites. The traffic has been logged by argus which is not to precise at logging tcp traffic that is not part of a 'properly set up' tcp stream. I think that this log represents a stream of incoming FIN packets (our network is 130.216/16) although argus is logging them as FIN+RST the packet count only shows one packet in most cases. Most of the addressess are either unused or turned off. When I get in to work tomorrow I will rig an alarm to detect an incident in progress and get a tcpdump trace of the packets.
These are in fact packets with just RST (and ACK) set, not FIN. The start time is not significant since that is when I put up a new version of the argus server (I should have realised that might have something to do with it, sigh...) which changed the way lone RSTs were reported. There are so many 'detached' RSTs floating around for semi legitimate reasons my scripts normally ignore them, so I had not noticed these before. In most cases this is the only traffic we are seeing from these addresses, just a stream of RSTs to appearently random addresses in our net. Cheers, Russell.
Current thread:
- Re: TCP port 3218 Warren Belfer (Mar 14)
- Re: TCP port 3218 Boris Badenov (Mar 14)
- Port 1243 Omachonu Ogali (Mar 16)
- Re: Port 1243 laLune (Mar 16)
- Re: Port 1243 Robert Graham (Mar 17)
- possible side effects from wide spread DOS attacks?? Russell Fulton (Mar 18)
- Re: possible side effects from wide spread DOS attacks?? Russell Fulton (Mar 20)