[31821] in North American Network Operators' Group
Re: DOS Attacks - Almost Caught One!
daemon@ATHENA.MIT.EDU (Quark Physics)
Sun Oct 22 10:49:28 2000
Date: Sun, 22 Oct 2000 10:28:31 -0400 (EDT)
From: Quark Physics <meuon@highertech.net>
To: nanog@nanog.org
In-Reply-To: <20001021180453.A95884@shell.cifnet.com>
Message-ID: <Pine.LNX.4.10.10010221003560.27512-100000@home.highertech.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
> We do get this sort of crap daily at least 5 times a day, distributed
> tcp/ack, tcp/syn, etc, over 40-50Kpps+ sometimes.. my list of over ~230
> slave networks (in /24 format). Kids are after taking CPUs in routers
> out and not killing you with hundrends and hundreeds of Mbps,
> high-pps attacks are also very nasty, and of course everything
> is over some stupid IRC issue.
We have found two hacked Linux boxen (on customers boxes)
recently that have been used as DDOS creators. Both were
older (Redhat 6.0) and were well hacked, replacing ls,find,ps,login,wtmp..
etc... and they installed a small IRC proxy server (BNC ala bnc.com)
and then some tools for sniffing and apparently creating DDOS.
We were unable to find traces of the originating IP's in logs
or other files. I saved some of the programs (t0rnD, stachel..)
