RE: DoS, possibly spoofed IP Addresses

From: Nelson, Jeffrey (Jeffrey.Nelsonat_private)
Date: Wed Apr 03 2002 - 12:11:12 PST

  • Next message: Mike Lewinski: "VPN connection attempts to resolvers?"

    Ditto Corey. His site has rather well-written text that, on the surface,
    seem sound. I have not spent much time there simply because of numerous
    sources relaying the same message you have here. I would go to any one of
    the plethora of legit security sites that are approved by the mainstream
    security market.
    
    More to your question, Murat, I have been in a very similar situation. Sad
    to say but you will have a very difficult time tracking this back to a live
    individual since you will need the cooperation of every ISP at every hop the
    attacker came at you from. You will need to get an agency that can obtain a
    court order to access the ISP's log files. Typically, the FBI is the only
    one that does this. For them to act you will need to prove that such DoS
    attacks have cause more then $25,000 damage.
    
    I have seen (been targeted) a DDoS attack launched by 4 attackers in
    different parts of the world. They would rotate the attack between them. I
    was able to locate one in Wisconsin. I did this only because the sys admin
    at this particular ISP was pretty cool. He couldn't release the name but he
    told me all he could about the kid. If I could have gotten the backing I
    could have prosecuted.
    
    The only life boat was to upgrade hardware to deal with it as well as garner
    agreements from my upstream provider to assist in filtering.
    
    Regards,
    
    Jeff
    
    
    -----Original Message-----
    From: Snow, Corey [mailto:CSNOWat_private]
    Sent: Wednesday, April 03, 2002 1:40 PM
    To: 'Jupp, Peter'; 'mahmut korkmaz'; incidentsat_private
    Subject: RE: DoS, possibly spoofed IP Addresses
    
    
    Steve Gibson's position on a number of issues, most notably the XP/raw
    sockets issue, is not one that is shared by a majority (vast majority) of
    security professionals.
    
    Steve Gibson's research on the use of raw sockets is, to say the least,
    flawed (IMO). Also, Mr. Gibson engages in no small amount of FUD in his
    site, which is less informative than it is inflammatory, again IMO.
    
    I would *highly* recommend a search of the archives of this list, Bugtraq,
    and the security-basics list for more information on Steve Gibson and
    GRC.com before you take anything he says on his website at http://grc.com as
    being useful and/or valuable.
    
    I am not attacking Steve Gibson personally here; in my opinion he's probably
    a nice guy. But his actions have done more to harm information security than
    improve it. As the site grcsucks.com says, Mr. Gibson is not a scam(er), but
    his motivations are worth questioning, as are his methods.
    
    Also, see some of these URLs for counters to Steve Gibson's statements on a
    number of issues:
    
    http://grcsucks.com
    http://www.theregister.co.uk/content/55/24189.html
    http://staff.washington.edu/dittrich/misc/ddos/grc-reply.txt
    
    
    I don't speak for my employer.
    
    Corey Snow
    
    
    > -----Original Message-----
    > From: Jupp, Peter [mailto:JuppPat_private]
    > Sent: Wednesday, April 03, 2002 6:56 AM
    > To: 'mahmut korkmaz'; incidentsat_private
    > Subject: RE: DoS, possibly spoofed IP Addresses
    > 
    > 
    > Hi Murat,
    > The best reading I've done about DoS attacks was courtesy of 
    > Steve Gibson, look here http://grc.com/dos/grcdos.htm , of 
    > particular interest elsewhere on Mr Gibson's site is the 
    > information about Windows XP raw sockets, which deliver IP 
    > spoofing capability to the masses. 
    > Good Luck, 
    > Peter.
    > 
    
    > 
    
    #########################################################
    The information contained in this e-mail and subsequent attachments may be
    privileged, 
    confidential and protected from disclosure.  This transmission is intended
    for the sole 
    use of the individual and entity to whom it is addressed.  If you are not
    the intended 
    recipient, any dissemination, distribution or copying is strictly
    prohibited.  If you 
    think that you have received this message in error, please e-mail the sender
    at the above 
    e-mail address.
    #########################################################
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 15:32:48 PST