Security Incidents mailing list archives

RE: DoS/DDoS on port 1863(MSN protocol)

From: "easternerd" <easternerd () gmx net>
Date: Mon, 27 Sep 2004 01:50:16 +0530

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
I suggest you first take Incident Response Step #1 - Cut off the
attack.
ask your isp to apply ingress rules.
Remember now the packets doesnt seem to have a harmed you much,
But what if the router just pops off, u sure dont want to DOS
yourself.
and take measures to notify the isps from where these attacks are
erupting.



Email Correspondence :
easternerd () gmx net
easternerd () eml cc
Website :
http://www.cryptography.tk <http://www.cryptography.tk> 
http://www.securityrisk.org <http://www.securityrisk.org> 


- -----Original Message-----
From: Diego Sebastián González [mailto:dgonzalez () telespazio com ar]
Sent: Thursday, September 23, 2004 9:31 PM
To: incidents () securityfocus com
Subject: DoS/DDoS on port 1863(MSN protocol)

Hi all,
 I work in an Satellite ISP(teleport) and we are experimenting a
Dos/DDoS Attack in our routers on port 1863.
Too much SYNs are being sent from a lot of our Public IP Customers to
1863 port to MSN Servers.
10.000 connections per seconds are generated in our TCP accelerators
systems, and overflows this system and borders routers.
We can identify the customers, but are too much. We cannot drop this
port because MSN application uses and we cannot apply policies to our
firewalls because the MSN Servers response to SYNs generated from our
customers.
We have Allot systems that perform filters by IP header, but really,
we need to filter by application layer.

Anybody has an idea to solve this problem?

Tks in advance.

Diego S. González
Operations Team
Telespazio
Visit us @ http://www.finmeccanica.it
Visit us @ http://www.telespazio.it







-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQEVAwUBQVckf+xhEq37a08BAQIbtQf6A/Wvo62OxAkd+YkuEipbzm/gBmRF0uur
x/cRg25TwlfeITKJYHZ5SfnsKEJZ25ne9wKzDfAhJfjeySSZ6I4SSaUIVXqyOZfa
DptY6H0nkhoTvZEtjtTC+gcdo1xIWQC0sBwVXWiwqk4gk7jsbQFiptBZOfRxNQT9
8njYNNAVNNUO427/SK9shNpncUKelnHDCpq04y40szsvU6FA5E8N3u9f7YhaEEnT
tP9mp3rrcn8d1Rj2pTDcU9SAB5o7wSEOSi3P05JmxgOwNrFHaIY6evqKGAmVyPXx
6nivFXPaZv8kqzOC7+Ej+BETo0l0kv7erVkJeyKZ7CFTNS41mnmUpw==
=LC0H
-----END PGP SIGNATURE-----

Attachment: PGPexch.rtf.pgp
Description:

Current thread:

Yahoo Account hacking Freilich, Robert (Sep 20)
- Port 7000 (Apple File Share) DoS/DDoS underway David Gillett (Sep 21)
  - Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 22)
    - Re: Port 7000 (Apple File Share) DoS/DDoS underway Daniel Hanson (Sep 22)
    - Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 23)
  - Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
    - Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
    - DoS/DDoS on port 1863(MSN protocol) Diego Sebastián González (Sep 26)
    - RE: DoS/DDoS on port 1863(MSN protocol) easternerd (Sep 27)
    - Re: DoS/DDoS on port 1863(MSN protocol) Kevin Reardon (Sep 27)
    - Re: DoS/DDoS on port 1863(MSN protocol) Tillman Hodgson (Sep 29)
    - data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol)) Martin Mačok (Sep 29)
    - Re: DoS/DDoS on port 1863(MSN protocol) terry white (Sep 27)
    - Re: DoS/DDoS on port 1863(MSN protocol) Martin Mačok (Sep 28)
  - Re: Port 7000 (Apple File Share) DoS/DDoS underway Jonathan Nichols (Sep 23)
- Re: Yahoo Account hacking xploitable (Sep 21)