Smurf Broadcast DoS attack

From: X (falkenat_private)
Date: Thu Aug 23 2001 - 03:35:14 PDT

Next message: JohnNicholsonat_private: "Re: Revenue loss due to breakins"

Previous message: Shoten: "Re: Flash Worms"
Next in thread: Valdis.Kletnieksat_private: "Re: Smurf Broadcast DoS attack"
Reply: Valdis.Kletnieksat_private: "Re: Smurf Broadcast DoS attack"
Reply: Avleen Vig: "Re: Smurf Broadcast DoS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Yesterday, one of the servers I admin. was attacked by a broadcast massive
ICMP's. The typical 'smurf' attack. 

I am working on discover who did it:

During the attack, I loaded tcpdump and redirected its output to a
logfile to study and analyze it later. 

Once I had the log at my hands, I took perl interpreter and wrote several
scripts to search some evidence, like ICMPs made from the attacker to test
the ping response or with other words, to know the sharpness of his/her
attack.

All the IP's that sent the ICMP packets, were not alone, I mean that they
were in a serie of IP's, that is: B, C internet network classes -->
broadcasts. All of them were from other countries. I continued looking for
some evidence.

I found a clue when I saw some ICMP echo's to the victim's IP coming from
a national ISP. That is a subscriber IP from that ISP, perhaps the
attacker.

I think that way because if I was the attacker, I would make some ping
to the victim to see if he is knocked out. Perhaps the attacker didn't
think that I was logging, or that I would be unable to find his IP.

I have to tell you that the attacked server has not any service, it is not
known by anyone. I use it to develop and test software. It is an old
SGI Indigo 2. So it has not any traffic to/from outside my network. That
brings me to suspect that this national-ISP IP was the attacker.

I attach to this mail the list of IP's, some of them resolved, that sent
the broad ICMPs. 
I contacted my frame-relay provider and sent them the details of the
attack.
I also contacted the suspect ISP and told them that IP and the hour it
happened.

This mail could open a discussion about the Internet insecurity, how to
avoid this attacks, possible solutions, possible ways to analyze the
results. 

Nothing more,

luck!


-- 

Xavi Torres <adminat_private>
Administración de sistemas
Krypton Networks S.L.
http://www.kryptonetworks.com/
http://www.area66.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: JohnNicholsonat_private: "Re: Revenue loss due to breakins"
Previous message: Shoten: "Re: Flash Worms"
Next in thread: Valdis.Kletnieksat_private: "Re: Smurf Broadcast DoS attack"
Reply: Valdis.Kletnieksat_private: "Re: Smurf Broadcast DoS attack"
Reply: Avleen Vig: "Re: Smurf Broadcast DoS attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 10:57:47 PDT