My understanding is that tcp is used during the breakin process. UDP is then used to communicate with "home base" and other infected machines. It sets a P2P network using UDP protocols. I expect that false blocking will occur. On Thu, 2002-09-26 at 11:16, Mark wrote: > Which brings up another point. It uses TCP to infect, but UDP for the peer > communication, right? UDP is so easily spoofed, what's to keep me from > falsely pretending that I am an infected machine at Company X via a simple > UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I > wished anonymously? > > -Mark > > ----- Original Message ----- > From: "Anton A. Chuvakin" <antonat_private> > To: "James P. Kinney III" <jkinneyat_private> > Cc: <incidentsat_private> > Sent: Wednesday, September 25, 2002 2:38 PM > Subject: Re: slapper worm varient "cinik" > > > > James and all, > > > > >Apparently the intruder got rather upset I spoiled his fun and about 15 > > >minutes after I shut him out, I was a victim of a udp-based DOS attack. > > Actually, it wasn't an intruder; the UDP flood you are experiencing is a > > consequence of a worm network design. Most likely the worm managed to join > > the network before you shut it down and now its peers are trying to access > > your machine. > > > > For more info got to http://isc.incidents.org/analysis.html?id=169 and > > http://isc.incidents.org/analysis.html?id=167 > > > > Best, > > -- > > Anton A. Chuvakin, Ph.D., GCIA > > http://www.chuvakin.org > > http://www.info-secure.org > > > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com -- James P. Kinney III \Changing the mobile computing world/ President and CEO \ one Linux user / Local Net Solutions,LLC \ at a time. / 770-493-8244 \.___________________________./ GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinneyat_private> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 21:16:06 PDT