There are other analyses that can be performed if you have a tcpdump (NOT etherfind) output log of the headers from an attack. It's well worth a few tens of megabytes... CERT and some of the people working on the SYN attacks can help if you have such traces. Avi
Date: Sun, 6 Oct 1996 11:40:25 -0400 From: Dave Van Allen <dave@fast.net> Reply-To: inet-access@earth.com To: "'inet-access@earth.com'" <inet-access@earth.com> Subject: RE: My First Denial of Service Attack..... Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT) Resent-From: inet-access@earth.com
FYI, (if it has already been mentioned, please excuse the double post, but:)
The latest version of the SYN attack code published in Phrack (last weeks edition, NOT last months) has an imbedded 'ping' ever several hundred SYN packets.
If you get attacked, run snoop, tcpdump or anything that captures packets, and look for the pings - they have the real source address of the sender of the SYN flood attack.
Please note, obviously the code can be modified to NOT ping, but our attacker last night did not do that, and we had the name of the user, their ISP, and other info in less than 15 minutes.
Best regards, - Dave Van Allen - You Tools Corporation/FASTNET(tm) dave@fast.net (610)954-5910 http://www.fast.net FASTNET - PA/NJ/DE Business Internet Solutions