Hi, we are currently experiencing a huge (200Mbit/s) DDoS: tcpdump shows: 01:45:39.146537 216.177.55.145.27017 > XXX.domain: 65535 zoneRef NoChange*|% [17737q][|domain] 01:45:39.146642 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef NoChange*|% [17736q][|domain] (DF) 01:45:39.146736 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef NoChange*|% [17729q][|domain] (DF) 01:45:39.146838 server23.cs-arena.de.27030 > XXX.domain: 65535 zoneRef NoChange*|% [17736q][|domain] (DF) 01:45:39.146944 216.177.55.145.27017 > XXX.domain: 65535 zoneRef NoChange*|% [17737q][|domain] 01:45:39.147141 hctc-206-195.hctc.com.27015 > XXX.domain: 65535 zoneRef NoChange*|% [17729q][|domain] (DF) 01:45:39.147248 216.177.55.145.27017 > XXX.domain: 65535 zoneRef NoChange*|% [17737q][|domain] 01:45:39.147560 disciple.wishes.he.was.staff.of.ugradio.org.27015 > XXX.domain: 65279 zoneRef NoChange*|% [42514q] 3584/767/65535 (1400) (DF) 01:45:39.147668 216.177.55.145.27017 > XXX.domain: 65535 zoneRef NoChange*|% [17737q][|domain] 01:45:39.147764 bmf.fukt.bth.se.27015 > XXX.domain: 65535 zoneRef NoChange*|% [17732q][|domain] 01:45:39.149412 81.2.130.160.27015 > XXX.domain: 65535 zoneRef NoChange*|% [17738q][|domain] (DF) 01:45:39.149498 64.237.43.194.27015 > XXX.domain: 65535 zoneRef NoChange*|% [17726q][|domain] (DF) 01:45:39.149584 64.237.43.194.27015 > XXX.domain: 65535 zoneRef NoChange*|% [17726q][|domain] (DF) I've never seen this characteristics on any DoS, all the attacking IPs appear to be running halflife/counterstrike gameservers. As far as i could get out using hlsw (www.hlsw.com) all servers are running the same, newest available, version of halflife/counterstrike. -- Regards, Jonas Frey ---------------------------------------------------------------- Probe Networks Jonas Frey e-Mail: jf@probe-networks.de Provinzialstr. 104 D-66740 Saarlouis Tel: +(49) (0) 180 5959723 Fax: +(49) (0) 180 5998480 Internet: www.probe-networks.de Hotline: 0800 1656531 ---------------------------------------------------------------- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 12:53:56 PDT