Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDoS Attack

From: "Angelz" <angel () dgtalstudios com>
Date: Fri, 23 May 2003 00:12:10 +0100
How many unique IPs are attacking you? Is it consuming too much bandwidth or
straining cpu/memory?
This will largely be the deciding factor in your response to it.

As this is a complete TCP connection to your webserver, the IPs obviously
cannot be spoofed. This is good news as it makes defending from it alot
easier.
I suggest asking your upsteam(s) to filter all the IPs involved. It's likely
they'll have their own way of combating it; you need to speak to them.

If you could send me a list of the infected IPs it would be greatly
appreciated.

http://www.securityfocus.com/archive/75/270867 -- The same string was sent
in this attack, may be worth reading.

Good luck,

-A


----- Original Message -----
From: "Steven Shepherd" <steven () valueweb com>
To: <incidents () securityfocus com>
Sent: Thursday, May 22, 2003 6:13 PM
Subject: DDoS Attack



Our parent company is experiencing a very odd/severe DDoS attack coming
from all over the place.  For the most part, the attack is occuring at
the Apache level.  Log files show this request:

[Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request
failed: erroneous characters after protocol string: -nb GET


!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^
@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&
!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb

GET


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb

GET


!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^
@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&
!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb

GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ +
+ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
+ +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+
+ +ATH0+

Scans of some of the attacking IP's show BackOrifice installations.

Has anyone had this sort of attack and what would be the best way to
combat it?  Not much luck from the upstream(s) thus far.



--------------------------------------------------------------------------

--

*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown

enterprise WLANs.


To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
--------------------------------------------------------------------------

--







---
Outgoing mail is certified virus free by smtp.webchatx.org
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.483 / Virus Database: 279 - Release Date: 20/05/2003


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: