RE: DDoS Attack

From: Whiteside, Larry [contractor] (BAE14at_private)
Date: Thu May 22 2003 - 12:49:39 PDT

Next message: Gary Flynn: "Re: A question for the list..."

Previous message: Sebastian Jaenicke: "Re: ICMP/SYN Flood"
Maybe in reply to: Steven Shepherd: "DDoS Attack"
Next in thread: Jonathan A. Zdziarski: "RE: DDoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like they are trying to exploit one of the many buffer overflow vulns in apache. You should ensure your version is current and fully patched. Then go in and look at all the areas that you accept input and ensure the variables are at their lowest acceptable level. These are the basic things that's should be done.

L
***************************
Larry Whiteside Jr.
Sr. Security Engineer

-----Original Message-----
From: Steven Shepherd [mailto:stevenat_private]
Sent: Thursday, May 22, 2003 1:13 PM
To: incidentsat_private
Subject: DDoS Attack


Our parent company is experiencing a very odd/severe DDoS attack coming 
from all over the place.  For the most part, the attack is occuring at 
the Apache level.  Log files show this request:

[Tue May 20 09:13:33 2003] [error] [client 194.xxx.xxx.xxx] request
failed: erroneous characters after protocol string: -nb GET
!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb 
GET 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@-nb 
GET 
!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!^&!*&!%&!%!@#%!^@)&!-nb 
GET +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + 
+ATH0+ + +ATH0+ + +ATH0+ + +\x01TH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ 
+ +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ + +ATH0+ 
+ +ATH0+

Scans of some of the attacking IP's show BackOrifice installations.

Has anyone had this sort of attack and what would be the best way to 
combat it?  Not much luck from the upstream(s) thus far.



----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies 
that are enforced to protect WLANs from known vulnerabilities and threats. 
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:    
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------

Next message: Gary Flynn: "Re: A question for the list..."
Previous message: Sebastian Jaenicke: "Re: ICMP/SYN Flood"
Maybe in reply to: Steven Shepherd: "DDoS Attack"
Next in thread: Jonathan A. Zdziarski: "RE: DDoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 23 2003 - 10:24:05 PDT