DoS Kiddie

• Previous message: Chris Ess: "Re: How to stop a consistent cracker."
• Next in thread: Abel Wisman: "Re: DoS Kiddie"
• Reply: Abel Wisman: "Re: DoS Kiddie"
• Reply: John Oliver: "Re: DoS Kiddie"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is some information I've been compiling on a DoS kiddie from
irc.dal.net who goes by the handle cpio, these are the events that
transpired and what happened as a result.  He's been using some hacked
account's bandwidth to drop down tons of traffic on me from various
misconfigured hosts which he probably got from netscan.org.  I'm being
packeted even as I write this but he has yet to take down my connection
completely, what I'm wondering is if there is anything I can do to make this
stop, I realize that it's virtually impossible to find out where he's coming
from as he always uses various shell accounts and bnc's on irc, but from
previous conversations I know he lives in new jersey.  As it is a Sunday
there is no one available at my local @Home offices and I can't think of
anything else to do but wait it out, which as of this writing it's been 6
hours of continous packeting.  My numerous attempts to get a continual log
of the attack have
been thwarted by the volume of traffic which my OpenBSD 2.7 system's kernel
keeps dropping most of and tcpdump/smurflog can't keep up and both crash
after a few seconds.  I would appreciate any help anyone can offer me with
this matter.



Thanks in advance,

Jon Hamill
MCSE, A+, Network+
Computer Consultant



Sunday June 10, 2001

irc logs:

[cpio(cpio@c1530360-a.bllvu1.wa.home.com)] in a few gigs get back to me
[cpio(cpio@c1530360-a.bllvu1.wa.home.com)] i hope you treasure such things
as internet access and telephone service

ωνω Lastlog:
13:43 ωνω cpio [cpio@c1530360-a.bllvu1.wa.home.com] has joined #unixgeeks
13:43 ωνω mode/#unixgeeks [+o cpio] by ChanServ
13:43 ωνω Topic (#unixgeeks): changed by cpio: Jon Hamill 7524 Old Oakland
Blvd. W. Dr. Indianapolis, IN 46236 Phone: 317-371-2828
13:44 ωνω mode/#unixgeeks [-o+b cpio *!*cpio@*.home.com] by Godthe1st
13:44 ωνω cpio was kicked off #unixgeeks by Godthe1st (Take thy beak from
out my heart and take thy form from off my door!)
13:44 ωνω ServerMode/#unixgeeks [-b *!*cpio@*.home.com] by
twisted.ma.us.dal.net
13:44 ωνω cpio [cpio@c1530360-a.bllvu1.wa.home.com] has joined #unixgeeks
13:44 ωνω mode/#unixgeeks [+o cpio] by ChanServ
13:44 <cpio> you are dade!
13:44 ωνω mode/#unixgeeks [-o+b Godthe1st
*!*?v?r?c?@?t?1?9?5?b.?v?n?v?.?n.?o?e.?o?] by cpio
13:44 >>> You have been kicked off #unixgeeks by cpio (UNF)
13:48 [msg(cpio)] does dosing people make your penis look bigger when you
wake up and look in the mirror every morning
13:49 [cpio(cpio@c1530360-a.bllvu1.wa.home.com)] in a few gigs get back to
me
13:50 [msg(cpio)] heh you're pathetic
13:50 -ChanServ(serviceat_private)- 1 -   cpio
(cpio@c1530360-a.bllvu1.wa.home.com)
13:50 [cpio(cpio@c1530360-a.bllvu1.wa.home.com)] i hope you treasure such
things as internet access and telephone service
13:51 [msg(chanservat_private)] aop #unixgeeks del cpio
13:52 -ChanServ(serviceat_private)- cpio has been successfully removed from
the AOp list of #unixgeeks
13:52  1 [cpio(cpio@c1530360-a.bllvu1.wa.home.com)] in a few gigs get back
to me
13:52  0 [cpio(cpio@c1530360-a.bllvu1.wa.home.com)] i hope you treasure such
things as internet access and telephone service

system logs:

Jun 10 13:53:03 wrath smurflog[22787]: Threshold reached, 410.79kbps
399pkt/s, Looks like a smurf.
Jun 10 13:53:04 wrath smurflog[22787]: #1 - Probable Smurf attack detected
from 207.108.84.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #2 - Probable Smurf attack detected
from 169.130.17.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #3 - Probable Smurf attack detected
from 156.3.255.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #4 - Probable Smurf attack detected
from 204.142.116.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #5 - Probable Smurf attack detected
from 204.27.77.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #6 - Probable Smurf attack detected
from 24.88.55.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #7 - Probable Smurf attack detected
from 141.141.2.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #10 - Probable Smurf attack detected
from 216.172.225.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #14 - Probable Smurf attack detected
from 206.137.31.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #15 - Probable Smurf attack detected
from 207.62.143.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #18 - Probable Smurf attack detected
from 139.4.130.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #19 - Probable Smurf attack detected
from 255.255.255.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #20 - Probable Smurf attack detected
from 129.250.194.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #21 - Probable Smurf attack detected
from 209.114.130.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #22 - Probable Smurf attack detected
from 209.101.59.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #23 - Probable Smurf attack detected
from 206.14.230.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #24 - Probable Smurf attack detected
from 203.36.98.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #25 - Probable Smurf attack detected
from 203.37.105.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #26 - Probable Smurf attack detected
from 204.95.121.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #27 - Probable Smurf attack detected
from 208.22.190.0/24 (1052 bytes)
Jun 10 13:53:06 wrath smurflog[22787]: #28 - Probable Smurf attack detected
from 24.248.249.0/24 (1500 bytes)
Jun 10 14:00:01 wrath syslogd: restart

note the times coincide

the syslogd restart is the point at which the packets got to be too many for
it to handle and it literally crashed
and restarted itself..

Jun 10 18:13:20 wrath smurflog[6359]: Now monitoring ne0 for smurf attacks.
Jun 10 18:13:21 wrath smurflog[13273]: Threshold reached, 264.03kbps
257pkt/s, Looks like a smurf.
Jun 10 18:13:21 wrath smurflog[13273]: #1 - Probable Smurf attack detected
from 169.130.130.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #2 - Probable Smurf attack detected
from 129.250.194.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #3 - Probable Smurf attack detected
from 204.147.83.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #4 - Probable Smurf attack detected
from 169.130.17.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #5 - Probable Smurf attack detected
from 216.172.225.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #7 - Probable Smurf attack detected
from 139.4.130.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #11 - Probable Smurf attack detected
from 156.3.255.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #12 - Probable Smurf attack detected
from 24.88.55.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #13 - Probable Smurf attack detected
from 207.108.84.0/24 (1052 bytes)

we check back 4 hours later to see that cpio is still going...

• Next message: Fernando Cardoso: "RE: linux www log file"
• Previous message: Chris Ess: "Re: How to stop a consistent cracker."
• Next in thread: Abel Wisman: "Re: DoS Kiddie"
• Reply: Abel Wisman: "Re: DoS Kiddie"
• Reply: John Oliver: "Re: DoS Kiddie"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 12:28:16 PDT