On Wed, 9 Feb 2000, Rodney Caston wrote:
I spoke with a person that claimed to understand the attacks that are going on, while I have no proof, I offer this as an example of what to look for on your own systems. So I am presenting this only as a possible example of what has taken place, and until proven correct I concede this is only a "rumor."
Do a search of the Bugtraq archives for trinoo, tribe, etc, or take at look at Dave Dittrich's page at http://www.washington.edu/People/dad/. He posted detailed breakdowns of the discovered DDoS daemons in December for the CERT workshop on DDoS's from last year. Verbose information on these attacks has been available since November/December of 1999.
Basically it began by combining many scripts already in use for scanning system security holes, the script initially scans a range of IPs scanning each target system for various known exploits, once a system is
One final note, a friend from Verio suggested that in the above scenario that this daemon would probaly be using TCP to be communicated with as UDP is more difficult for alot of people to code.
Some are using ICMP, and UDP is not that hard to code, especially if the programs are just combinations of scripts that have already been written.
Rodney L. Caston Southwestern Bell Internet Services
On a totally unrelated note, you guys really should start participating in the local peering points. Your connectivity in large metro areas like Houston, TX would greatly benefit from it. MAGIE and Compaq/Insync NAP connections would make a lot of SBC DSL users very happy, since a lot of their traffic is local content. -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."