IP: re NIPC DDOS Warning

[David Farber <dave () farber net>]

> Date: Tue, 18 Sep 2001 10:41:28 -0600
> From: Sean Reifschneider <jafo () tummy com>
> To: David Farber <dave () farber net>
> Cc: Robert Cannon <rcannon100 () yahoo com>, efm () tummy com
> Subject: Re: IP: NIPC DDOS Warning
> User-Agent: Mutt/1.2.5i
>
> >We may be under a DDOS.  You may wish to post this:
>
> It's actually something similar to the Code Red worm.  This one however
> seems to make an average of around 10 HTTP connections per attack attempt
> compared to Code Red's one HTTP connection, which right away means that
> it's likely to be an order of magnitude worse than the original Code Red.
>
> It uses an attack profile very similar, most attacks come from network
> addresses that are at least somewhat similar to your address.  So, it may
> be a straight variant, but I don't have information to prove it one way or
> another.
>
> So, it's kind of a DDoS in that it is pounding the net pretty hard, but
> it's also a worm.  It's actually pounding *EVERYONE* pretty hard, whereas a
> traditional DDoS would be hitting one or a few places.
>
> http://slashdot.org/ has some coverage of it so far.  From looking at our
> logs, it *JUST STARTED* at around 7am.  No gradual ramp-up, our line just
> started getting pounded by about a 35KB/sec load, and it's currently up to
> around 60KB/sec.
>
> Sean
> --
>  "If all you have is a hammer, every problem tends to look like a nail."
> Sean Reifschneider, Inimitably Superfluous <jafo () tummy com>
> tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



For archives see: http://www.interesting-people.org/