[1791] in WWW Security List Archive
Re: URGENT: denial of service
daemon@ATHENA.MIT.EDU (hickey@ctron.com)
Fri Apr 5 09:54:37 1996
From: hickey@ctron.com
Date: Fri, 5 Apr 1996 07:25:16 -0500 (EST)
Reply-To: hickey@ctron.com
To: jmcphail <jmcphail@kcstar.com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SUN.3.91.960404231757.8845A-100000@kcsun3.kcstar.com>
Errors-To: owner-www-security@ns2.rutgers.edu
>
> Today was the launch of our shiny new web site. By 10:30am we had a
> persistent denial-of-service attack occuring.
>
> ......
>
> I've filed this incident with CERT, and I'm trying to find ways to
> eliminate the attack. With the filter rule we applied, nobody from the
> Class C he's in can access our pages, plus if the attacker is
> sophisticated the IP will change. I've contacted the administrator of the
> B license the attack came from, and was told he would "take a look."
>
> Any suggestions are greatly appreciated.
>
If I were to produce this sort of attack, I would certainly not use
my address range! It is quite easy to set up a workstation with an
IP address from some other range and use it to attack. The routers
are only looking at the destination IP address, so they will route
the packet to you accordingly. The return packet will not make it
back to the attacking workstation because now the router will send
it to the stolen IP address that resides half-way around the world.
The only way to track this type of attack is to have each service
provider (from you outward) run a couple of traces to see where
they are seeing it come from. This would take some time to do though.
Good luck....
--
Gerard Hickey, hickey@ctron.com, +1 603 337 7391/+1 603 337 7534 (fax)
Cabletron Systems, 36 Industrial Way, Rochester, NH USA 03867
Mi estas provant lerni esperanton.
