Please have a look at:
http://www.ircnetops.org/smurf
It's the home page of the SAFE project which I run. Can you see if any
of the IP addresses that attacked you are in the database?
If they are I will jump on the admins. They've been told at least twice
that most of them are running open amplifiers.
Thanks,
Avleen Vig
On Thu, Aug 23, 2001 at 12:35:14PM +0200, X wrote:
>
> Hello,
>
> Yesterday, one of the servers I admin. was attacked by a broadcast massive
> ICMP's. The typical 'smurf' attack.
>
> I am working on discover who did it:
>
> During the attack, I loaded tcpdump and redirected its output to a
> logfile to study and analyze it later.
>
> Once I had the log at my hands, I took perl interpreter and wrote several
> scripts to search some evidence, like ICMPs made from the attacker to test
> the ping response or with other words, to know the sharpness of his/her
> attack.
>
> All the IP's that sent the ICMP packets, were not alone, I mean that they
> were in a serie of IP's, that is: B, C internet network classes -->
> broadcasts. All of them were from other countries. I continued looking for
> some evidence.
>
> I found a clue when I saw some ICMP echo's to the victim's IP coming from
> a national ISP. That is a subscriber IP from that ISP, perhaps the
> attacker.
>
> I think that way because if I was the attacker, I would make some ping
> to the victim to see if he is knocked out. Perhaps the attacker didn't
> think that I was logging, or that I would be unable to find his IP.
>
> I have to tell you that the attacked server has not any service, it is not
> known by anyone. I use it to develop and test software. It is an old
> SGI Indigo 2. So it has not any traffic to/from outside my network. That
> brings me to suspect that this national-ISP IP was the attacker.
>
> I attach to this mail the list of IP's, some of them resolved, that sent
> the broad ICMPs.
> I contacted my frame-relay provider and sent them the details of the
> attack.
> I also contacted the suspect ISP and told them that IP and the hour it
> happened.
>
> This mail could open a discussion about the Internet insecurity, how to
> avoid this attacks, possible solutions, possible ways to analyze the
> results.
>
> Nothing more,
>
> luck!
>
>
> --
>
> Xavi Torres <adminat_private>
> Administración de sistemas
> Krypton Networks S.L.
> http://www.kryptonetworks.com/
> http://www.area66.com/
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
--
--
Avleen Vig, Systems Administrator
Email: avleenat_private Mobile: (07974) 100 573
Internet Vision Tel: 020 7589 4500
60 Albert Court Fax: 020 7589 4522
Prince Consort Road infoat_private
London. SW7 2BE http://www.ivision.co.uk/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 12:40:13 PDT