Which brings up another point. It uses TCP to infect, but UDP for the peer communication, right? UDP is so easily spoofed, what's to keep me from falsely pretending that I am an infected machine at Company X via a simple UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I wished anonymously? -Mark ----- Original Message ----- From: "Anton A. Chuvakin" <antonat_private> To: "James P. Kinney III" <jkinneyat_private> Cc: <incidentsat_private> Sent: Wednesday, September 25, 2002 2:38 PM Subject: Re: slapper worm varient "cinik" > James and all, > > >Apparently the intruder got rather upset I spoiled his fun and about 15 > >minutes after I shut him out, I was a victim of a udp-based DOS attack. > Actually, it wasn't an intruder; the UDP flood you are experiencing is a > consequence of a worm network design. Most likely the worm managed to join > the network before you shut it down and now its peers are trying to access > your machine. > > For more info got to http://isc.incidents.org/analysis.html?id=169 and > http://isc.incidents.org/analysis.html?id=167 > > Best, > -- > Anton A. Chuvakin, Ph.D., GCIA > http://www.chuvakin.org > http://www.info-secure.org > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 21:13:20 PDT