Re: My First Denial of Service Attack..... (fwd)

[Avi Freedman <freedman () netaxs com>]

There are other analyses that can be performed if you have a tcpdump
(NOT etherfind) output log of the headers from an attack.

It's well worth a few tens of megabytes...

CERT and some of the people working on the SYN attacks can help if
you have such traces.

Avi

> Date: Sun, 6 Oct 1996 11:40:25 -0400
> From: Dave Van Allen <dave () fast net>
> Reply-To: inet-access () earth com
> To: "'inet-access () earth com'" <inet-access () earth com>
> Subject: RE: My First Denial of Service Attack.....
> Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT)
> Resent-From: inet-access () earth com
>
> FYI, (if it has already been mentioned, please excuse the double post,
> but:)
>
> The latest version of the SYN attack code published in Phrack (last
> weeks edition, NOT last months) has an imbedded 'ping' ever several
> hundred SYN packets.
>
> If you get attacked, run snoop, tcpdump or anything that captures
> packets, and look for the pings - they have the real source address of
> the sender of the SYN flood attack.
>
> Please note, obviously the code can be modified to NOT ping, but our
> attacker last night did not do that, and we had the name of the user,
> their ISP, and other info in less than 15 minutes.
>
> Best regards,
> -
> Dave Van Allen - You Tools Corporation/FASTNET(tm) 
> dave () fast net  (610)954-5910 http://www.fast.net 
> FASTNET - PA/NJ/DE Business Internet Solutions 
- - - - - - - - - - - - - - - - -