Security Incidents mailing list archives
RE: DoS, possibly spoofed IP Addresses
From: "Jupp, Peter" <JuppP () ottawapolice ca>
Date: Wed, 3 Apr 2002 09:55:30 -0500
Hi Murat, The best reading I've done about DoS attacks was courtesy of Steve Gibson, look here http://grc.com/dos/grcdos.htm , of particular interest elsewhere on Mr Gibson's site is the information about Windows XP raw sockets, which deliver IP spoofing capability to the masses. Good Luck, Peter. -----Original Message----- From: mahmut korkmaz [mailto:mahmutkorkmaz () hotmail com] Sent: Monday, April 01, 2002 9:16 PM To: incidents () securityfocus com Subject: DoS, possibly spoofed IP Addresses Folks, I have been dealing with this DoS attack for a long while. Actually, my problem is not identifying the attack, yet mine is about tracing the source IP. My SNORT logs show that, this guys is trying to hack into DNS server over UDP. In the payloads of the packet i see those "/bin/sh" string. There is no other clue about the exploit he is trying on. It is causing a DoS, at the end of the day. Driving me NUTs :( Consuming all my bandwith.... Then again the same cycle... Call the ISP, block the guy and keep searching.... I am trying to block this guy from the ISP. However he is changing the IP all the time. Whenever i try to trace the IP, it is either not alive, or the ISP of the IP says, they see no traffic from that guy. I am almost sure that he is spoofing the IP. By the way, tracing this guy, by talking one ISP another is also not helpful... Because it is time killing, trying to convince the NOC guy of ISP to check the routers for us and staff like that.... Most of the time they reject at first to check the routers, because we are not their customer and so on... So, the bottom line is, have you ever been to a similar position before, if so what was your life-boat ? Any comments.... Murat _________________________________________________________________ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DoS, possibly spoofed IP Addresses mahmut korkmaz (Apr 02)
- <Possible follow-ups>
- RE: DoS, possibly spoofed IP Addresses Jupp, Peter (Apr 03)
- RE: DoS, possibly spoofed IP Addresses Rob Thomas (Apr 03)
- RE: DoS, possibly spoofed IP Addresses Snow, Corey (Apr 03)
- RE: DoS, possibly spoofed IP Addresses mahmut korkmaz (Apr 03)
- RE: DoS, possibly spoofed IP Addresses Nelson, Jeffrey (Apr 03)