[27181] in North American Network Operators' Group
Re: Info on the DoS attacks.
daemon@ATHENA.MIT.EDU (Sean Donelan)
Wed Feb 9 22:21:25 2000
Date: 9 Feb 2000 19:15:46 -0800
Message-ID: <20000210031546.20537.cpmta@c004.sfo.cp.net>
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
To: largo@megatokyo.com
From: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 09 February 2000, Rodney Caston wrote:
> I spoke with a person that claimed to understand the attacks that are
> going on, while I have no proof, I offer this as an example of what to
> look for on your own systems. So I am presenting this only as a possible
> example of what has taken place, and until proven correct I concede this
> is only a "rumor."
Has anyone else noticed the dearth of technical information about these
attacks? Although some of the largest web sites, and networks have been
hit, I still haven't read a confirmed description of exactly what is
happening.
Its been three days. After the Morris Worm, by this point in time I had
seen several technical descriptions and even portions of decompiled code.
And I was just an interested Internet user in those days.
In this case I still haven't seen confirmation if it was trino, tfn, something
new, or what. Or even confirmation if it was a series of HTTP GETs or random
packets, or some interesting corruption of a packet. Or if confirmation the
attacks are coming from the same set of hosts or different ones for each attack.
If it is the same set of IP addresses, could we RBL (or create a new RBL) them?
Maybe I'm just on the wrong mailing lists.
