Re: DDoS attack.

From: Bugtraq Mailing Lists (bugtraqat_private)
Date: Sun Jan 27 2002 - 10:31:30 PST

  • Next message: Ronneil Camara: "is this enumeration?"

    you should start implementing ingress filtering on your routers
    so that this spoofed attack will not happen again by your end users.
    
    if you have a cisco based router:
    conf t
    int e0/0 <-- do this on all of your interfaces
    ip verify unicast reverse-path
    
    if you have an ISis or other linux based router/firewall:
    echo 1 > /proc/sys/net/ipv4/conf/_ALL_INTERFACES_/rp_filter
    
    
    On Fri, 25 Jan 2002, Daniel F. Chief Security Engineer - wrote:
    
    > Im looking for help tracing this attack down. Its coming from my network with
    > spoofed IPs to 216.200.108.194 IP which is not on my network so its and
    > outbound attack. Also none of the source IPs are on my network.
    >
    > I have blocked the outgoing traffic at the firewalls so it is not leaving my
    > network.
    >
    > Here is a short tcpdump if the traffic.
    > 11:34:50.660747 43.150.52.83.24630 > 216.200.108.194.5371: S
    > 1667351577:1667351577(0) win 65535
    > 11:34:50.661041 54.216.84.23.29249 > 216.200.108.194.5372: S
    > 1116047630:1116047630(0) win 65535
    > 11:34:50.661420 255.8.148.250.22903 > 216.200.108.194.5377: S
    > 2101768472:2101768472(0) win 65535
    > 11:34:50.661762 226.66.36.238.2498 > 216.200.108.194.5378: S
    > 1399051237:1399051237(0) win 65535
    > 11:34:50.661910 98.139.159.60.41527 > 216.200.108.194.5379: S
    > 417777474:417777474(0) win 65535
    >
    > It got all the signs of a dDoS attack window size is always the same dst
    > ports are incrementing by one every time. and the source IP is randomized. I
    > cannot fine the machine(s) that are generating this as I have a very large
    > interconnected(cluster $#@!) network that inherited which comatins well over
    > 1600 hosts.
    >
    > TIA
    >
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jan 27 2002 - 20:08:21 PST