NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-11

Subject: Re: DDoS Attacks....
From: J. Oquendo (intrusionENGINEER.COM)
Date: Tue Nov 14 2000 - 00:50:16 CST

Next message: Kehoe, Anthony: "Unknown port traffic"
Previous message: Karl Malivuk: "find_ddos results"
Maybe in reply to: James Kelty: "DDoS Attacks...."
Maybe reply: J. Oquendo: "Re: DDoS Attacks...."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Heres a quickie doc for admins/etc under the gun which I thought might come in handy. Its not a read-me or faq just a slew of commands and configs for all types of routers/firewalls to either slow down or stop Denial of Service attacks.

www.antioffline.com/stoppingdos.html

------Original Message------
From: James Kelty <jamesTUNA.ORG>
To: INCIDENTSSECURITYFOCUS.COM
Sent: November 13, 2000 11:12:40 PM GMT
Subject: DDoS Attacks....

Hello,

I seem to be under a DDoS Attack at the moment. I recieved these logs
from my firewall

<SNIP>

488. 2000-11-13 14:49:24 ATTACK ALARM: ICMP Flood from 207.100.65.30
to 209.10.46.156 prot 1 (untrust)
489. 2000-11-13 14:49:24 ATTACK ALARM: ICMP Flood from 206.222.103.134
to 209.10.46.156 prot 1 (untrust)
490. 2000-11-13 14:49:23 ATTACK ALARM: ICMP Flood from 149.39.250.1 to
209.10.46.156 prot 1 (untrust)
491. 2000-11-13 14:49:23 ATTACK ALARM: ICMP Flood from 134.174.9.41 to
209.10.46.156 prot 1 (untrust)
492. 2000-11-13 14:49:23 ATTACK ALARM: ICMP Flood from 198.59.162.254
to 209.10.46.156 prot 1 (untrust)
493. 2000-11-13 14:49:23 ATTACK ALARM: ICMP Flood from 209.11.133.190
to 209.10.46.156 prot 1 (untrust)
494. 2000-11-13 14:49:23 ATTACK ALARM: ICMP Flood from 4.24.80.18 to
209.10.46.156 prot 1 (untrust)
495. 2000-11-13 14:49:22 ATTACK ALARM: ICMP Flood from 204.89.131.10
to 209.10.46.156 prot 1 (untrust)
496. 2000-11-13 14:49:22 ATTACK ALARM: ICMP Flood from 209.11.133.189
to 209.10.46.156 prot 1 (untrust)
<SNIP>

It seems that there are several IP that these are coming from, all at
once, (Hence the DDoS). The thing is that, the firewall that they are
hitting
is just a NAT firewall for outbound traffic via SMTP, and NO incoming
traffic should go that way. It is not really hurting me at the moment,
but when
someone figures out what they are doing, this could be bad.

Any advice? Other that making sure that all my firewalls do not allow
ICMP traffc, (Done!).

Thanks!

-James

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

Next message: Kehoe, Anthony: "Unknown port traffic"
Previous message: Karl Malivuk: "find_ddos results"
Maybe in reply to: James Kelty: "DDoS Attacks...."
Maybe reply: J. Oquendo: "Re: DDoS Attacks...."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]