On Thu, 14 Feb 2002, John Elliott wrote: > On February 13, 2002 22:58 pm, Dave Dittrich wrote: > [snip] > > > > This attack used a variation of a TCP based reflection attack that is > > not widely known to exist in the wild. Steve's early analysis of the > > attack in included below (Appendix A). > > > > While there may be a new (D)DoS program "in the wild" to implement this > > attack, the risks and methods have been known for two or more years > > and some simple modifications to existing tools, and a good list of > > high-capacity routers, switches, and servers, could affect an attack > > of this type. > > I have two web servers on different networks that have been receiving this > type of traffic for the last 2 or 3 weeks. The same source IP's hit both > hosts at about the same time. This is low rate traffic and generates ACK's > back to the target. I have been logging this activity for about two weeks > and have captured some of the packets. I suspect that more than one machine > have the same reflector host list based on the varying times of day when > activity occurs. I noticed this traffic on my machine last november, it wasn't until a few weeks ago that I had time figure out it was some sort of SYN flood. I'm glad someone finally mentioned this, as I thought I had pissed someone off. :) I have a couple of packets from Jan 3 if anyone needs them. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 11:15:16 PST