DDoS attack.

From: Daniel F. Chief Security Engineer - (danielfat_private)
Date: Fri Jan 25 2002 - 10:23:26 PST

  • Next message: Gary Baribault: "port 22224?? What the heck"

    Im looking for help tracing this attack down. Its coming from my network with 
    spoofed IPs to 216.200.108.194 IP which is not on my network so its and 
    outbound attack. Also none of the source IPs are on my network. 
    
    I have blocked the outgoing traffic at the firewalls so it is not leaving my 
    network. 
    
    Here is a short tcpdump if the traffic. 
    11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S 
    1667351577:1667351577(0) win 65535
    11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S 
    1116047630:1116047630(0) win 65535
    11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S 
    2101768472:2101768472(0) win 65535
    11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S 
    1399051237:1399051237(0) win 65535
    11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S 
    417777474:417777474(0) win 65535
    
    It got all the signs of a dDoS attack window size is always the same dst 
    ports are incrementing by one every time. and the source IP is randomized. I 
    cannot fine the machine(s) that are generating this as I have a very large 
    interconnected(cluster $#@!) network that inherited which comatins well over 
    1600 hosts. 
    
    TIA
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 10:53:00 PST