Re: DDoS attack.

From: Daniel F. Chief Security Engineer - (danielfat_private)
Date: Fri Jan 25 2002 - 12:12:48 PST

  • Next message: Chris Keladis: "Re: Strings of 'EEEE' in pings..."

    Thanks for every ones help. 
    
    the -e is what I was missing to get this guy. 
    
    thanks again. 
    
    
    On Friday 25 January 2002 01:04 pm, Glenn Forbes Fleming Larratt wrote:
    > A "tcpdump -ner" will show you the MAC address or addresses your tcpdump
    > host sees for this traffic. That address or addresses will either belong
    > to the source host, or a core router through which it came.
    >
    > If it's a router, you'll need to trace back to which network on the
    > other side of it, and iterate as necessary. A portable tcpdump host
    > would come in handy to do so.
    >
    > If it's a Cisco router, you might look into deploying the per-interface
    > command "ip verify unicast reverse-path" (I think - I may have
    > misremembered the syntax), which automatically prevents spoofing beyond the
    > scope of the LAN segment. Check this command out at www.cisco.com .
    >
    > 	-g
    >
    > On Fri, 25 Jan 2002, Daniel F. Chief Security Engineer - wrote:
    > > Date: Fri, 25 Jan 2002 12:23:26 -0600
    > > From: Daniel F. Chief Security Engineer - <danielfat_private>
    > > To: incidentsat_private
    > > Subject: DDoS attack.
    > >
    > > Im looking for help tracing this attack down. Its coming from my network
    > > with spoofed IPs to 216.200.108.194 IP which is not on my network so its
    > > and outbound attack. Also none of the source IPs are on my network.
    > >
    > > I have blocked the outgoing traffic at the firewalls so it is not leaving
    > > my network.
    > >
    > > Here is a short tcpdump if the traffic.
    > > 11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S
    > > 1667351577:1667351577(0) win 65535
    > > 11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S
    > > 1116047630:1116047630(0) win 65535
    > > 11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S
    > > 2101768472:2101768472(0) win 65535
    > > 11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S
    > > 1399051237:1399051237(0) win 65535
    > > 11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S
    > > 417777474:417777474(0) win 65535
    > >
    > > It got all the signs of a dDoS attack window size is always the same dst
    > > ports are incrementing by one every time. and the source IP is
    > > randomized. I cannot fine the machine(s) that are generating this as I
    > > have a very large interconnected(cluster $#@!) network that inherited
    > > which comatins well over 1600 hosts.
    > >
    > > TIA
    >
    > 				Glenn Forbes Fleming Larratt
    > 				Rice University Network Management
    > 				glrattat_private
    >
    >
    > ---------------------------------------------------------------------------
    >- This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    -- 
    Chief Security Engineer | Daniel Fairchild danielfat_private
    Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 13:54:48 PST