On February 13, 2002 22:58 pm, Dave Dittrich wrote:
[snip]
>
> This attack used a variation of a TCP based reflection attack that is
> not widely known to exist in the wild. Steve's early analysis of the
> attack in included below (Appendix A).
>
> While there may be a new (D)DoS program "in the wild" to implement this
> attack, the risks and methods have been known for two or more years
> and some simple modifications to existing tools, and a good list of
> high-capacity routers, switches, and servers, could affect an attack
> of this type.

I have two web servers on different networks that have been receiving this
type of traffic for the last 2 or 3 weeks. The same source IP's hit both
hosts at about the same time. This is low rate traffic and generates ACK's
back to the target. I have been logging this activity for about two weeks
and have captured some of the packets. I suspect that more than one machine
have the same reflector host list based on the varying times of day when
activity occurs.

A partial solution is for network operators (more likely ISP's) to do egress
filtering to ensure that only IP source addresses that belong to their
network leave their network.

John Elliott

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]