Hi Murat, The best reading I've done about DoS attacks was courtesy of Steve Gibson, look here http://grc.com/dos/grcdos.htm , of particular interest elsewhere on Mr Gibson's site is the information about Windows XP raw sockets, which deliver IP spoofing capability to the masses. Good Luck, Peter. -----Original Message----- From: mahmut korkmaz [mailto:mahmutkorkmazat_private] Sent: Monday, April 01, 2002 9:16 PM To: incidentsat_private Subject: DoS, possibly spoofed IP Addresses Folks, I have been dealing with this DoS attack for a long while. Actually, my problem is not identifying the attack, yet mine is about tracing the source IP. My SNORT logs show that, this guys is trying to hack into DNS server over UDP. In the payloads of the packet i see those "/bin/sh" string. There is no other clue about the exploit he is trying on. It is causing a DoS, at the end of the day. Driving me NUTs :( Consuming all my bandwith.... Then again the same cycle... Call the ISP, block the guy and keep searching.... I am trying to block this guy from the ISP. However he is changing the IP all the time. Whenever i try to trace the IP, it is either not alive, or the ISP of the IP says, they see no traffic from that guy. I am almost sure that he is spoofing the IP. By the way, tracing this guy, by talking one ISP another is also not helpful... Because it is time killing, trying to convince the NOC guy of ISP to check the routers for us and staff like that.... Most of the time they reject at first to check the routers, because we are not their customer and so on... So, the bottom line is, have you ever been to a similar position before, if so what was your life-boat ? Any comments.... Murat _________________________________________________________________ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 08:25:52 PST