RE: My First Denial of Service Attack..... (fwd)
---------- Forwarded message ---------- Date: Sun, 6 Oct 1996 11:40:25 -0400 From: Dave Van Allen <dave@fast.net> Reply-To: inet-access@earth.com To: "'inet-access@earth.com'" <inet-access@earth.com> Subject: RE: My First Denial of Service Attack..... Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT) Resent-From: inet-access@earth.com FYI, (if it has already been mentioned, please excuse the double post, but:) The latest version of the SYN attack code published in Phrack (last weeks edition, NOT last months) has an imbedded 'ping' ever several hundred SYN packets. If you get attacked, run snoop, tcpdump or anything that captures packets, and look for the pings - they have the real source address of the sender of the SYN flood attack. Please note, obviously the code can be modified to NOT ping, but our attacker last night did not do that, and we had the name of the user, their ISP, and other info in less than 15 minutes. Best regards, - Dave Van Allen - You Tools Corporation/FASTNET(tm) dave@fast.net (610)954-5910 http://www.fast.net FASTNET - PA/NJ/DE Business Internet Solutions
---------- From: Avi Freedman[SMTP:freedman@netaxs.com] Sent: Saturday, October 05, 1996 7:37 PM To: inet-access@earth.com Subject: Re: My First Denial of Service Attack.....
I have a question about this -
Could place an incoming ping filter denying all on your router, AND turn off small servers on the router? Would this work? Is there a downside to this?
-Elroy ( elroy@mail.kcstar.com )
Not to state the obvious, but if you turn off pings into your network then noone can ping into your network (for diagnostics etc...)
Turning off small-servers on the router only affects things to the router (and not ICMP pings, just presumably udp pings).
Avi
============================== ISP Mailing List ============================== Email ``unsubscribe'' to inet-access-request@earth.com to be removed. Email ``subscribe'' to inet-access-request@earth.com to join the list.
============================== ISP Mailing List ============================== Email ``unsubscribe'' to inet-access-request@earth.com to be removed. Excellent day for putting Slinkies on an escalator.
There are other analyses that can be performed if you have a tcpdump (NOT etherfind) output log of the headers from an attack. It's well worth a few tens of megabytes... CERT and some of the people working on the SYN attacks can help if you have such traces. Avi
Date: Sun, 6 Oct 1996 11:40:25 -0400 From: Dave Van Allen <dave@fast.net> Reply-To: inet-access@earth.com To: "'inet-access@earth.com'" <inet-access@earth.com> Subject: RE: My First Denial of Service Attack..... Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT) Resent-From: inet-access@earth.com
FYI, (if it has already been mentioned, please excuse the double post, but:)
The latest version of the SYN attack code published in Phrack (last weeks edition, NOT last months) has an imbedded 'ping' ever several hundred SYN packets.
If you get attacked, run snoop, tcpdump or anything that captures packets, and look for the pings - they have the real source address of the sender of the SYN flood attack.
Please note, obviously the code can be modified to NOT ping, but our attacker last night did not do that, and we had the name of the user, their ISP, and other info in less than 15 minutes.
Best regards, - Dave Van Allen - You Tools Corporation/FASTNET(tm) dave@fast.net (610)954-5910 http://www.fast.net FASTNET - PA/NJ/DE Business Internet Solutions
participants (2)
-
Avi Freedman
-
Michael Dillon