RE: DoS, possibly spoofed IP Addresses

From: Jupp, Peter (JuppPat_private)
Date: Wed Apr 03 2002 - 06:55:30 PST

  • Next message: Snow, Corey: "RE: DoS, possibly spoofed IP Addresses"

    Hi Murat,
    The best reading I've done about DoS attacks was courtesy of Steve Gibson, look here http://grc.com/dos/grcdos.htm , of particular interest elsewhere on Mr Gibson's site is the information about Windows XP raw sockets, which deliver IP spoofing capability to the masses. 
    Good Luck, 
    Peter.
    
    -----Original Message-----
    From: mahmut korkmaz [mailto:mahmutkorkmazat_private]
    Sent: Monday, April 01, 2002 9:16 PM
    To: incidentsat_private
    Subject: DoS, possibly spoofed IP Addresses
    
    
    Folks,
    
    I have been dealing with this DoS attack for a long while. Actually, my 
    problem is not identifying the attack, yet mine is about tracing the source 
    IP.
    
    My SNORT logs show that, this guys is trying to hack into DNS server over 
    UDP. In the payloads of the packet i see those "/bin/sh"  string. There is 
    no other clue about the exploit he is trying on. It is causing a DoS, at the 
    end of the day. Driving me NUTs :( Consuming all my bandwith.... Then again 
    the same cycle... Call the ISP, block the guy and keep searching....
    
    
    I am trying to block this guy from the ISP. However he is changing the IP 
    all the time. Whenever i try to trace the IP, it is either not alive, or the 
    ISP of the IP says, they see no traffic from that guy. I am almost sure that 
    he is spoofing the IP.
    
    By the way, tracing this guy, by talking one ISP another is also not 
    helpful... Because it is time killing, trying to convince the NOC guy of ISP 
    to check the routers for us and staff like that.... Most of the time they 
    reject at first to check the routers, because we are not their customer and 
    so on...
    
    So, the bottom line is, have you ever been to a similar position before, if 
    so what was your life-boat ?
    
    Any comments....
    
    Murat
    
    
    
    _________________________________________________________________
    Join the world's largest e-mail service with MSN Hotmail. 
    http://www.hotmail.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 08:25:52 PST