Re: wake up & smell the DDoS

["Johnson, Greg" <JohnsonG () MISSOURI EDU>]

"Azimuth" observed:
> The attached alerts from snort suggest outgoing activity from
> the Shaft DDoS tool ... Checking this host for signs of
> intrusion hasn't turned up anything...

This week I saw activity like this from several IP addresses in
the same two subnets.  Indeed the outsider whose portsentry reported the
problems listed IP addresses of several place-holders:  systems which are
not now connected nor have ever been officially connected.  Sounds like
source forging + probably a sniffer in the same subnets.  We've got
egress source sanity-filtering on our internet connections.  Getting
this worked down to the lower levels will take time.  Mmm, switches.
In the meantime we're sniffing and tweaking routers.

Encourage the other admin to sniff/snort--or be ready to--the affected
subnet.  See: http://www.nwfusion.com/research/2000/0828feat2.html

It's a safe bet that source forging exploitations will get bigger and
bigger.

Prepare now and look like a hero later, or... get caught unprepared.

--
  Greg Johnson - 573-882-5008
  Computing and Network Security Office
  University of Missouri, Columbia MO 65211