To update folks who have asked (too many to reply to directly, with any ease; my apologies if anyone is annoyed by this method): The box has not *yet* been scorched, it turns out; I've asked them to keep it until the research can be finished. Given the past record, and the fact that this server is somewhat important, I seriously doubt that they're going to be willing to just hand it over to the Feds - any more than any of you want to hand over your laptops. Errata: the machine was not actually on a 2xT1, as it had been moved since I was last aware of it's location; it was, during the attack, behind a 512k ADSL line, I have been told. I have a copy of what has been dug out of the box so far, which is the actual packet-generating tool, a binary called "imp"; for those about to ask me for the code, don't bother - because it's fairly generic, and I *think* it has been circulating for a good while; either way, it's nothing to write home about. All it's doing is sending a flood of SYN, ACK, FIN, or RST packets (which, I'm still trying to determine, although it appears likely to have been SYN; we're trying to dig out the actual trigger code, still). A reminder: this is not *proven* to have partcipated in the attacks that have been going on, per se, since we don't have enough information to know just what the attacks look like. -- *************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://www.lightbearer.com/~lucifer KF6WAY (Tech) - 146.475 MHz (FM/Phone)
participants (1)
-
lucifer@lightbearer.com