On Wed, 09 February 2000, Rodney Caston wrote:
I spoke with a person that claimed to understand the attacks that are going on, while I have no proof, I offer this as an example of what to look for on your own systems. So I am presenting this only as a possible example of what has taken place, and until proven correct I concede this is only a "rumor."
Has anyone else noticed the dearth of technical information about these attacks? Although some of the largest web sites, and networks have been hit, I still haven't read a confirmed description of exactly what is happening. Its been three days. After the Morris Worm, by this point in time I had seen several technical descriptions and even portions of decompiled code. And I was just an interested Internet user in those days. In this case I still haven't seen confirmation if it was trino, tfn, something new, or what. Or even confirmation if it was a series of HTTP GETs or random packets, or some interesting corruption of a packet. Or if confirmation the attacks are coming from the same set of hosts or different ones for each attack. If it is the same set of IP addresses, could we RBL (or create a new RBL) them? Maybe I'm just on the wrong mailing lists.
It's because people are being very closed mouthed with this, the corps either have no idea what is going on or do not wish to share what they know, and those involved with the attacks have done a good job of keeping silent. Besides comparing Morris's worm to what is going on now is hardly fair, the net was a very different place then, and his cpu cycle hog of a program was alot easier to deal with and detect. Rodney L. Caston Southwestern Bell Internet Services On 9 Feb 2000, Sean Donelan wrote:
On Wed, 09 February 2000, Rodney Caston wrote:
I spoke with a person that claimed to understand the attacks that are going on, while I have no proof, I offer this as an example of what to look for on your own systems. So I am presenting this only as a possible example of what has taken place, and until proven correct I concede this is only a "rumor."
Has anyone else noticed the dearth of technical information about these attacks? Although some of the largest web sites, and networks have been hit, I still haven't read a confirmed description of exactly what is happening.
Its been three days. After the Morris Worm, by this point in time I had seen several technical descriptions and even portions of decompiled code. And I was just an interested Internet user in those days.
In this case I still haven't seen confirmation if it was trino, tfn, something new, or what. Or even confirmation if it was a series of HTTP GETs or random packets, or some interesting corruption of a packet. Or if confirmation the attacks are coming from the same set of hosts or different ones for each attack. If it is the same set of IP addresses, could we RBL (or create a new RBL) them?
Maybe I'm just on the wrong mailing lists.
On 9 Feb 2000, Sean Donelan wrote:
On Wed, 09 February 2000, Rodney Caston wrote:
I spoke with a person that claimed to understand the attacks that are going on, while I have no proof, I offer this as an example of what to look for on your own systems. So I am presenting this only as a possible example of what has taken place, and until proven correct I concede this is only a "rumor."
Has anyone else noticed the dearth of technical information about these attacks? Although some of the largest web sites, and networks have been hit, I still haven't read a confirmed description of exactly what is happening.
None that's authoritative, and the FBI is being tight lipped as well.
Its been three days. After the Morris Worm, by this point in time I had seen several technical descriptions and even portions of decompiled code. And I was just an interested Internet user in those days.
Well, these days people are worried about stock prices. Look at the adverse effect these attacks over the last few days have had on the victims' stock prices.
In this case I still haven't seen confirmation if it was trino, tfn, something new, or what. Or even confirmation if it was a series of HTTP GETs or random packets, or some interesting corruption of a packet. Or if confirmation the attacks are coming from the same set of hosts or different ones for each attack. If it is the same set of IP addresses, could we RBL (or create a new RBL) them?
Maybe I'm just on the wrong mailing lists.
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-01&msg=Pine.GUL.4.20.9912071041410.9470-100000@red7.cac.washington.edu and http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-01&msg=Pine.GUL.4.20.9912071044490.9470-100000@red7.cac.washington.edu -- Joseph W. Shaw - jshaw@insync.net Computer Security Consultant and Programmer Free UNIX advocate - "I hack, therefore I am."
participants (3)
-
Joe Shaw -
Rodney Caston -
Sean Donelan