On Wed, May 01, 2002 at 11:29:46PM -0600, Pete Kruckenberg wrote:
We do have a fairly aggressive security group that identifies compromised machines and assists customers in properly securing them. We can be fairly certain that the way these hosts are responding to this DoS attack is not as a result of being compromised, but a "normal" IP stack implementation.
Please please please please please tell me you are doing ingress filtering so the compromised boxes you host aren't spewing totally random source addresses on the internet. Not that it matters though, it's still pretty difficult to find the box in question. DDoS programs have been "auto-probing" for the best src address method to use for some time now (almost since their birth). For example, say a box is compromised on a network which does ingress filtering. The packet program detects this, and instead of randomizing the IP with every packet, it picks a single random IP by spoofing the last octet. In the interesting environments (like a college dorm network) this gets past most peoples ingress filters, since they're usually not exactly providing layer 3 all the way to the student. So when you send in a DoS complaint about 1.2.3.182, the campus computer nerd looks it up, and goes to knock on that persons door. Little do they know that the actual compromised machine is 1.2.3.97 spoofing it. You ever tried explaining this to the campus nerd? Not pretty! -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)