Please have a look at: http://www.ircnetops.org/smurf It's the home page of the SAFE project which I run. Can you see if any of the IP addresses that attacked you are in the database? If they are I will jump on the admins. They've been told at least twice that most of them are running open amplifiers. Thanks, Avleen Vig On Thu, Aug 23, 2001 at 12:35:14PM +0200, X wrote: > > Hello, > > Yesterday, one of the servers I admin. was attacked by a broadcast massive > ICMP's. The typical 'smurf' attack. > > I am working on discover who did it: > > During the attack, I loaded tcpdump and redirected its output to a > logfile to study and analyze it later. > > Once I had the log at my hands, I took perl interpreter and wrote several > scripts to search some evidence, like ICMPs made from the attacker to test > the ping response or with other words, to know the sharpness of his/her > attack. > > All the IP's that sent the ICMP packets, were not alone, I mean that they > were in a serie of IP's, that is: B, C internet network classes --> > broadcasts. All of them were from other countries. I continued looking for > some evidence. > > I found a clue when I saw some ICMP echo's to the victim's IP coming from > a national ISP. That is a subscriber IP from that ISP, perhaps the > attacker. > > I think that way because if I was the attacker, I would make some ping > to the victim to see if he is knocked out. Perhaps the attacker didn't > think that I was logging, or that I would be unable to find his IP. > > I have to tell you that the attacked server has not any service, it is not > known by anyone. I use it to develop and test software. It is an old > SGI Indigo 2. So it has not any traffic to/from outside my network. That > brings me to suspect that this national-ISP IP was the attacker. > > I attach to this mail the list of IP's, some of them resolved, that sent > the broad ICMPs. > I contacted my frame-relay provider and sent them the details of the > attack. > I also contacted the suspect ISP and told them that IP and the hour it > happened. > > This mail could open a discussion about the Internet insecurity, how to > avoid this attacks, possible solutions, possible ways to analyze the > results. > > Nothing more, > > luck! > > > -- > > Xavi Torres <adminat_private> > Administración de sistemas > Krypton Networks S.L. > http://www.kryptonetworks.com/ > http://www.area66.com/ > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- -- Avleen Vig, Systems Administrator Email: avleenat_private Mobile: (07974) 100 573 Internet Vision Tel: 020 7589 4500 60 Albert Court Fax: 020 7589 4522 Prince Consort Road infoat_private London. SW7 2BE http://www.ivision.co.uk/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 12:40:13 PDT