OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: James P. Kinney III (jkinney_at_localnetsolutions.com)
Date: Thu Sep 26 2002 - 10:35:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    My understanding is that tcp is used during the breakin process. UDP is
    then used to communicate with "home base" and other infected machines.
    It sets a P2P network using UDP protocols.

    I expect that false blocking will occur.

    On Thu, 2002-09-26 at 11:16, Mark wrote:
    > Which brings up another point. It uses TCP to infect, but UDP for the peer
    > communication, right? UDP is so easily spoofed, what's to keep me from
    > falsely pretending that I am an infected machine at Company X via a simple
    > UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I
    > wished anonymously?
    >
    > -Mark
    >
    > ----- Original Message -----
    > From: "Anton A. Chuvakin" <antonchuvakin.org>
    > To: "James P. Kinney III" <jkinneylocalnetsolutions.com>
    > Cc: <incidentssecurityfocus.com>
    > Sent: Wednesday, September 25, 2002 2:38 PM
    > Subject: Re: slapper worm varient "cinik"
    >
    >
    > > James and all,
    > >
    > > >Apparently the intruder got rather upset I spoiled his fun and about 15
    > > >minutes after I shut him out, I was a victim of a udp-based DOS attack.
    > > Actually, it wasn't an intruder; the UDP flood you are experiencing is a
    > > consequence of a worm network design. Most likely the worm managed to join
    > > the network before you shut it down and now its peers are trying to access
    > > your machine.
    > >
    > > For more info got to http://isc.incidents.org/analysis.html?id=169 and
    > > http://isc.incidents.org/analysis.html?id=167
    > >
    > > Best,
    > > --
    > > Anton A. Chuvakin, Ph.D., GCIA
    > > http://www.chuvakin.org
    > > http://www.info-secure.org
    > >
    > >
    > > --------------------------------------------------------------------------
    > --
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com 

    -- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

    GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinneylocalnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iD8DBQA9kyknYZCtw4KcbKcRAlDzAJ45NuG8EXIPZ9KbpvxRaBKSW2G+lQCffAfC KBhmlmXm5iXmGx1LoQz0qmk= =c3FA -----END PGP SIGNATURE-----