('binary' encoding is not supported, stored as-is) In-Reply-To: <OFA6BA0106.874F41EB-ON85256D18.005D3E70-85256D18.0061259Bat_private> Received another of the iis-kabom type attacks. This one was slightly different in that the attacks came very slowly, about 2-4 minutes between attacks -- lasting 3 hours. This time it came from what looks like an Israeli cable provider's pool. I did not receive all 65 attacks, it appears that some attacks were purposely removed -- like the "GET /adsamples/" requests. Also different was that the source port numbers were jumping all over the place. Sometimes jumping a few hundred ports between attacks, sometimes the following attack had a lower port number (which I assume means the attacker sent so many packets that the source ports wrapped around). Therefore, it could be that this attacker targetted so many victims that he performed a DoS on himself, thus the 2-4 minutes between attacks. Otherwise, I don't know why they would slow down the attack -- it's not like a portscan. I don't need any responses, just letting you all know that this iis-kabom variant appears to be a work in progress. Thanks, Mark Embrich ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu May 08 2003 - 16:27:13 PDT