RE: DoS, possibly spoofed IP Addresses

From: Jupp, Peter (JuppPat_private)
Date: Wed Apr 03 2002 - 06:55:30 PST

Next message: Snow, Corey: "RE: DoS, possibly spoofed IP Addresses"

Previous message: Brenna Primrose: "RE: Unknown Hosts file"
Maybe in reply to: mahmut korkmaz: "DoS, possibly spoofed IP Addresses"
Next in thread: Rob Thomas: "RE: DoS, possibly spoofed IP Addresses"
Next in thread: Snow, Corey: "RE: DoS, possibly spoofed IP Addresses"
Reply: Rob Thomas: "RE: DoS, possibly spoofed IP Addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Murat,
The best reading I've done about DoS attacks was courtesy of Steve Gibson, look here http://grc.com/dos/grcdos.htm , of particular interest elsewhere on Mr Gibson's site is the information about Windows XP raw sockets, which deliver IP spoofing capability to the masses. 
Good Luck, 
Peter.

-----Original Message-----
From: mahmut korkmaz [mailto:mahmutkorkmazat_private]
Sent: Monday, April 01, 2002 9:16 PM
To: incidentsat_private
Subject: DoS, possibly spoofed IP Addresses

Folks,

I have been dealing with this DoS attack for a long while. Actually, my 
problem is not identifying the attack, yet mine is about tracing the source 
IP.

My SNORT logs show that, this guys is trying to hack into DNS server over 
UDP. In the payloads of the packet i see those "/bin/sh"  string. There is 
no other clue about the exploit he is trying on. It is causing a DoS, at the 
end of the day. Driving me NUTs :( Consuming all my bandwith.... Then again 
the same cycle... Call the ISP, block the guy and keep searching....

I am trying to block this guy from the ISP. However he is changing the IP 
all the time. Whenever i try to trace the IP, it is either not alive, or the 
ISP of the IP says, they see no traffic from that guy. I am almost sure that 
he is spoofing the IP.

By the way, tracing this guy, by talking one ISP another is also not 
helpful... Because it is time killing, trying to convince the NOC guy of ISP 
to check the routers for us and staff like that.... Most of the time they 
reject at first to check the routers, because we are not their customer and 
so on...

So, the bottom line is, have you ever been to a similar position before, if 
so what was your life-boat ?

Any comments....

Murat

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Snow, Corey: "RE: DoS, possibly spoofed IP Addresses"
Previous message: Brenna Primrose: "RE: Unknown Hosts file"
Maybe in reply to: mahmut korkmaz: "DoS, possibly spoofed IP Addresses"
Next in thread: Rob Thomas: "RE: DoS, possibly spoofed IP Addresses"
Next in thread: Snow, Corey: "RE: DoS, possibly spoofed IP Addresses"
Reply: Rob Thomas: "RE: DoS, possibly spoofed IP Addresses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 08:25:52 PST