Well, actually, I do believe the whole p2p network has some sort of password arrangement so only the intended sources can control it. However, that password has already been reverse-engineered from the binaries by many parties, I have heard. So no, you don't even have to spoof your address, all you have to do is get that password from the binaries... -- Toni Heinonen, Teleware Oy Wireless +358 (40) 836 1815 Telephone +358 (9) 3434 9123 toni.heinonenat_private www.teleware.fi > -----Alkuperäinen viesti----- > Lähettäjä: Mark [mailto:markat_private] > Lähetetty: 26. syyskuuta 2002 18:16 > Vastaanottaja: Anton A. Chuvakin; James P. Kinney III > Kopio: incidentsat_private > Aihe: Re: slapper worm varient "cinik" > > > Which brings up another point. It uses TCP to infect, but > UDP for the peer communication, right? UDP is so easily > spoofed, what's to keep me from falsely pretending that I am > an infected machine at Company X via a simple UDP spoof, > causing the peers to DoS Company X, essentially DoSsing > anyone I wished anonymously? > > -Mark > > ----- Original Message ----- > From: "Anton A. Chuvakin" <antonat_private> > To: "James P. Kinney III" <jkinneyat_private> > Cc: <incidentsat_private> > Sent: Wednesday, September 25, 2002 2:38 PM > Subject: Re: slapper worm varient "cinik" > > > > James and all, > > > > >Apparently the intruder got rather upset I spoiled his fun > and about > > >15 minutes after I shut him out, I was a victim of a udp-based DOS > > >attack. > > Actually, it wasn't an intruder; the UDP flood you are > experiencing is > > a consequence of a worm network design. Most likely the > worm managed > > to join the network before you shut it down and now its peers are > > trying to access your machine. > > > > For more info got to > http://isc.incidents.org/analysis.html?id=169 > and > > > http://isc.incidents.org/analysis.html?id=167 > > > > Best, > > -- > > Anton A. Chuvakin, Ph.D., GCIA > > http://www.chuvakin.org > > http://www.info-secure.org > > > > > > > ---------------------------------------------------------------------- > > ---- > -- > > This list is provided by the SecurityFocus ARIS analyzer > service. For > > more information on this free incident handling, management and > > tracking system please see: http://aris.securityfocus.com > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 19:47:35 PDT