Re: possible side effects from wide spread DOS attacks??

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Sun, 19 Mar 2000 11:19:03 +1300 Russell Fulton
<r.fulton () auckland ac nz> wrote:

> Hi,
>    Starting on Thursday 16th at around 1900 (UTC) and continuing now we
> have seen traffic like that logged below coming from a at least  20
> different sites.  The traffic has been logged by argus which is not to
> precise at logging tcp traffic that is not part of a 'properly set up'
> tcp stream.  I think that this log represents a stream of incoming FIN
> packets (our network is 130.216/16) although argus is logging them as
> FIN+RST the packet count only shows one packet in most cases.  Most of
> the addressess are either unused or turned off.  When I get in to work
> tomorrow I will rig an alarm to detect an incident in progress and get
> a tcpdump trace of the packets.

These are in fact packets with just RST (and ACK) set, not FIN.  The
start time is not significant since that is when I put up a new version
of the argus server (I should have realised that might have something
to do with it, sigh...) which changed the way lone RSTs were reported.

There are so many 'detached' RSTs floating around for semi legitimate
reasons my scripts normally ignore them, so I had not noticed these
before.

In most cases this is the only traffic we are seeing from these
addresses, just a stream of RSTs to appearently random addresses in our
net.

Cheers, Russell.