Hello, Yesterday, one of the servers I admin. was attacked by a broadcast massive ICMP's. The typical 'smurf' attack. I am working on discover who did it: During the attack, I loaded tcpdump and redirected its output to a logfile to study and analyze it later. Once I had the log at my hands, I took perl interpreter and wrote several scripts to search some evidence, like ICMPs made from the attacker to test the ping response or with other words, to know the sharpness of his/her attack. All the IP's that sent the ICMP packets, were not alone, I mean that they were in a serie of IP's, that is: B, C internet network classes --> broadcasts. All of them were from other countries. I continued looking for some evidence. I found a clue when I saw some ICMP echo's to the victim's IP coming from a national ISP. That is a subscriber IP from that ISP, perhaps the attacker. I think that way because if I was the attacker, I would make some ping to the victim to see if he is knocked out. Perhaps the attacker didn't think that I was logging, or that I would be unable to find his IP. I have to tell you that the attacked server has not any service, it is not known by anyone. I use it to develop and test software. It is an old SGI Indigo 2. So it has not any traffic to/from outside my network. That brings me to suspect that this national-ISP IP was the attacker. I attach to this mail the list of IP's, some of them resolved, that sent the broad ICMPs. I contacted my frame-relay provider and sent them the details of the attack. I also contacted the suspect ISP and told them that IP and the hour it happened. This mail could open a discussion about the Internet insecurity, how to avoid this attacks, possible solutions, possible ways to analyze the results. Nothing more, luck! -- Xavi Torres <adminat_private> Administración de sistemas Krypton Networks S.L. http://www.kryptonetworks.com/ http://www.area66.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 10:57:47 PDT