Security Incidents mailing list archives

Re: slapper worm varient "cinik"


From: "Mark" <mark () uniontown com>
Date: Thu, 26 Sep 2002 11:16:26 -0400

Which brings up another point.  It uses TCP to infect, but UDP for the peer
communication, right?  UDP is so easily spoofed, what's to keep me from
falsely pretending that I am an infected machine at Company X via a simple
UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I
wished anonymously?

-Mark

----- Original Message -----
From: "Anton A. Chuvakin" <anton () chuvakin org>
To: "James P. Kinney III" <jkinney () localnetsolutions com>
Cc: <incidents () securityfocus com>
Sent: Wednesday, September 25, 2002 2:38 PM
Subject: Re: slapper worm varient "cinik"


James and all,

Apparently the intruder got rather upset I spoiled his fun and about 15
minutes after I shut him out, I was a victim of a udp-based DOS attack.
Actually, it wasn't an intruder; the UDP flood you are experiencing is a
consequence of a worm network design. Most likely the worm managed to join
the network before you shut it down and now its peers are trying to access
your machine.

For more info got to http://isc.incidents.org/analysis.html?id=169 and
http://isc.incidents.org/analysis.html?id=167

Best,
--
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org


--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


Current thread: