Re: Packet from port 80 with spoofed microsoft.com ip

From: zmajd fully (istoleyourmonkeysat_private)
Date: Mon Feb 03 2003 - 15:27:59 PST

Next message: Tom Arseneault: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"

Previous message: Valdis.Kletnieksat_private: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Hulio,
Thanks for your response and help both on and off list. I have been able
to link the DDoS packet to MSDN. Apprantly it is back scatter from some
sort of p2p worm/hydra. Back scatter happens when kiddiez on the mIRC want
2 take over channels and they send the packets with the spoofed IP using some
toolz like on www.rootshell.com or underground.org.

At the moment the DDoS only affects windows/MSDN on intel, the solaris MSDN/sql
server isn't affected, but apprantly a port is in the workz by some guys
from #sage-au (./hack chanl) on oz.org. I got some packets in the IDS for
the sparcs here last night, but SUN says they won't have a patch yet till
they fix some bugs.

I belive you can detect the attack with tcpdump or snoop, but u have
2 be carefull cos the tpm/sage-au guys have a thing 2 make it crash and
open other ports which could futher open u 2 DDoS attacks of this nature.

Thanks Again.

Alvin.
Senior Network/Security Engineer.
:: D i V E R S E - I N T E R N E T ::
   "Diverse - The future is now"

Hulio Cortez ruxed some lyrix like:
>
> Hello there Alvin,
> DO you know if these packets will affect other operating systems than Microsof
t
> ? Is this only
> if MSDN is installed?
> If the DDOS network is being constructed in this fashion then there could be p
r
> oblems with lots
> of non patched other systems and also Microsoft. It is very subtle and hard to
> detect
> without closely monitoring your intrusion logs.
> THank you for talking to your friend in NIPC as he must be very busy at this t
i
> me!!! I am sure
> other readers appreciate this too.
>
> Hulio Cortez
> CCNA

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tom Arseneault: "RE: Packets from 255.255.255.255(80) (was: Packet from port 80 wi th spoofed microsoft.com ip)"
Previous message: Valdis.Kletnieksat_private: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 10:42:12 PST