Re: DDoS attack.

From: Glenn Forbes Fleming Larratt (glrattat_private)
Date: Fri Jan 25 2002 - 11:04:49 PST

Next message: Neil Dickey: "Re: DDoS attack."

Previous message: Peter Bates: "Strings of 'EEEE' in pings..."
In reply to: Daniel F. Chief Security Engineer -: "DDoS attack."
Next in thread: Daniel F. Chief Security Engineer -: "Re: DDoS attack."
Next in thread: Neil Dickey: "Re: DDoS attack."
Reply: Daniel F. Chief Security Engineer -: "Re: DDoS attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A "tcpdump -ner" will show you the MAC address or addresses your tcpdump
host sees for this traffic. That address or addresses will either belong
to the source host, or a core router through which it came.

If it's a router, you'll need to trace back to which network on the
other side of it, and iterate as necessary. A portable tcpdump host
would come in handy to do so.

If it's a Cisco router, you might look into deploying the per-interface
command "ip verify unicast reverse-path" (I think - I may have misremembered
the syntax), which automatically prevents spoofing beyond the scope of
the LAN segment. Check this command out at www.cisco.com .

	-g


On Fri, 25 Jan 2002, Daniel F. Chief Security Engineer - wrote:

> Date: Fri, 25 Jan 2002 12:23:26 -0600
> From: Daniel F. Chief Security Engineer - <danielfat_private>
> To: incidentsat_private
> Subject: DDoS attack.
>
> Im looking for help tracing this attack down. Its coming from my network with
> spoofed IPs to 216.200.108.194 IP which is not on my network so its and
> outbound attack. Also none of the source IPs are on my network.
>
> I have blocked the outgoing traffic at the firewalls so it is not leaving my
> network.
>
> Here is a short tcpdump if the traffic.
> 11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S
> 1667351577:1667351577(0) win 65535
> 11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S
> 1116047630:1116047630(0) win 65535
> 11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S
> 2101768472:2101768472(0) win 65535
> 11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S
> 1399051237:1399051237(0) win 65535
> 11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S
> 417777474:417777474(0) win 65535
>
> It got all the signs of a dDoS attack window size is always the same dst
> ports are incrementing by one every time. and the source IP is randomized. I
> cannot fine the machine(s) that are generating this as I have a very large
> interconnected(cluster $#@!) network that inherited which comatins well over
> 1600 hosts.
>
> TIA
>


				Glenn Forbes Fleming Larratt
				Rice University Network Management
				glrattat_private


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Neil Dickey: "Re: DDoS attack."
Previous message: Peter Bates: "Strings of 'EEEE' in pings..."
In reply to: Daniel F. Chief Security Engineer -: "DDoS attack."
Next in thread: Daniel F. Chief Security Engineer -: "Re: DDoS attack."
Next in thread: Neil Dickey: "Re: DDoS attack."
Reply: Daniel F. Chief Security Engineer -: "Re: DDoS attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 11:19:18 PST