Hi Hulio,
Thanks for your response and help both on and off list. I have been able
to link the DDoS packet to MSDN. Apprantly it is back scatter from some
sort of p2p worm/hydra. Back scatter happens when kiddiez on the mIRC want
2 take over channels and they send the packets with the spoofed IP using some
toolz like on www.rootshell.com or underground.org.
At the moment the DDoS only affects windows/MSDN on intel, the solaris MSDN/sql
server isn't affected, but apprantly a port is in the workz by some guys
from #sage-au (./hack chanl) on oz.org. I got some packets in the IDS for
the sparcs here last night, but SUN says they won't have a patch yet till
they fix some bugs.
I belive you can detect the attack with tcpdump or snoop, but u have
2 be carefull cos the tpm/sage-au guys have a thing 2 make it crash and
open other ports which could futher open u 2 DDoS attacks of this nature.
Thanks Again.
Alvin.
Senior Network/Security Engineer.
:: D i V E R S E - I N T E R N E T ::
"Diverse - The future is now"
Hulio Cortez ruxed some lyrix like:
>
> Hello there Alvin,
> DO you know if these packets will affect other operating systems than Microsof
t
> ? Is this only
> if MSDN is installed?
> If the DDOS network is being constructed in this fashion then there could be p
r
> oblems with lots
> of non patched other systems and also Microsoft. It is very subtle and hard to
> detect
> without closely monitoring your intrusion logs.
> THank you for talking to your friend in NIPC as he must be very busy at this t
i
> me!!! I am sure
> other readers appreciate this too.
>
> Hulio Cortez
> CCNA
--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Thanks for your response and help both on and off list. I have been able
to link the DDoS packet to MSDN. Apprantly it is back scatter from some
sort of p2p worm/hydra. Back scatter happens when kiddiez on the mIRC want
2 take over channels and they send the packets with the spoofed IP using some
toolz like on www.rootshell.com or underground.org.
At the moment the DDoS only affects windows/MSDN on intel, the solaris MSDN/sql
server isn't affected, but apprantly a port is in the workz by some guys
from #sage-au (./hack chanl) on oz.org. I got some packets in the IDS for
the sparcs here last night, but SUN says they won't have a patch yet till
they fix some bugs.
I belive you can detect the attack with tcpdump or snoop, but u have
2 be carefull cos the tpm/sage-au guys have a thing 2 make it crash and
open other ports which could futher open u 2 DDoS attacks of this nature.
Thanks Again.
Alvin.
Senior Network/Security Engineer.
:: D i V E R S E - I N T E R N E T ::
"Diverse - The future is now"
Hulio Cortez ruxed some lyrix like:
>
> Hello there Alvin,
> DO you know if these packets will affect other operating systems than Microsof
t
> ? Is this only
> if MSDN is installed?
> If the DDOS network is being constructed in this fashion then there could be p
r
> oblems with lots
> of non patched other systems and also Microsoft. It is very subtle and hard to
> detect
> without closely monitoring your intrusion logs.
> THank you for talking to your friend in NIPC as he must be very busy at this t
i
> me!!! I am sure
> other readers appreciate this too.
>
> Hulio Cortez
> CCNA
--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]