OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: possible side effects from wide spread DOS attacks??
From: Russell Fulton (r.fultonAUCKLAND.AC.NZ)
Date: Mon Mar 20 2000 - 16:08:21 CST

On Sun, 19 Mar 2000 11:19:03 +1300 Russell Fulton
<r.fultonauckland.ac.nz> wrote:

> Hi,
> Starting on Thursday 16th at around 1900 (UTC) and continuing now we
> have seen traffic like that logged below coming from a at least 20
> different sites. The traffic has been logged by argus which is not to
> precise at logging tcp traffic that is not part of a 'properly set up'
> tcp stream. I think that this log represents a stream of incoming FIN
> packets (our network is 130.216/16) although argus is logging them as
> FIN+RST the packet count only shows one packet in most cases. Most of
> the addressess are either unused or turned off. When I get in to work
> tomorrow I will rig an alarm to detect an incident in progress and get
> a tcpdump trace of the packets.
>

These are in fact packets with just RST (and ACK) set, not FIN. The
start time is not significant since that is when I put up a new version
of the argus server (I should have realised that might have something
to do with it, sigh...) which changed the way lone RSTs were reported.

There are so many 'detached' RSTs floating around for semi legitimate
reasons my scripts normally ignore them, so I had not noticed these
before.

In most cases this is the only traffic we are seeing from these
addresses, just a stream of RSTs to appearently random addresses in our
net.

Cheers, Russell.