'Re: Smurf Broadcast DoS attack'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Smurf Broadcast DoS attack
From:       Avleen Vig <incidenthandling () ivision ! co ! uk>
Date:       2001-08-24 14:46:06
[Download RAW message or body]

Please have a look at:
    http://www.ircnetops.org/smurf
It's the home page of the SAFE project which I run. Can you see if any
of the IP addresses that attacked you are in the database?
If they are I will jump on the admins. They've been told at least twice
that most of them are running open amplifiers.


Thanks,
Avleen Vig

On Thu, Aug 23, 2001 at 12:35:14PM +0200, X wrote:
> 
> Hello,
> 
> Yesterday, one of the servers I admin. was attacked by a broadcast massive
> ICMP's. The typical 'smurf' attack. 
> 
> I am working on discover who did it:
> 
> During the attack, I loaded tcpdump and redirected its output to a
> logfile to study and analyze it later. 
> 
> Once I had the log at my hands, I took perl interpreter and wrote several
> scripts to search some evidence, like ICMPs made from the attacker to test
> the ping response or with other words, to know the sharpness of his/her
> attack.
> 
> All the IP's that sent the ICMP packets, were not alone, I mean that they
> were in a serie of IP's, that is: B, C internet network classes -->
> broadcasts. All of them were from other countries. I continued looking for
> some evidence.
> 
> I found a clue when I saw some ICMP echo's to the victim's IP coming from
> a national ISP. That is a subscriber IP from that ISP, perhaps the
> attacker.
> 
> I think that way because if I was the attacker, I would make some ping
> to the victim to see if he is knocked out. Perhaps the attacker didn't
> think that I was logging, or that I would be unable to find his IP.
> 
> I have to tell you that the attacked server has not any service, it is not
> known by anyone. I use it to develop and test software. It is an old
> SGI Indigo 2. So it has not any traffic to/from outside my network. That
> brings me to suspect that this national-ISP IP was the attacker.
> 
> I attach to this mail the list of IP's, some of them resolved, that sent
> the broad ICMPs. 
> I contacted my frame-relay provider and sent them the details of the
> attack.
> I also contacted the suspect ISP and told them that IP and the hour it
> happened.
> 
> This mail could open a discussion about the Internet insecurity, how to
> avoid this attacks, possible solutions, possible ways to analyze the
> results. 
> 
> Nothing more,
> 
> luck!
> 
> 
> -- 
> 
> Xavi Torres <admin@area66.com>
> Administración de sistemas
> Krypton Networks S.L.
> http://www.kryptonetworks.com/
> http://www.area66.com/
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

-- 
--

Avleen Vig, Systems Administrator                
Email: avleen@ivision.co.uk               Mobile: (07974) 100 573

Internet Vision                                Tel: 020 7589 4500
60 Albert Court                                Fax: 020 7589 4522
Prince Consort Road                            info@ivision.co.uk
London. SW7 2BE                         http://www.ivision.co.uk/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic