[5048] in North American Network Operators' Group
Re: My First Denial of Service Attack..... (fwd)
daemon@ATHENA.MIT.EDU (Avi Freedman)
Sun Oct 6 20:09:47 1996
From: Avi Freedman <freedman@netaxs.com>
To: michael@memra.com (Michael Dillon)
Date: Sun, 6 Oct 1996 20:05:58 -0400 (EDT)
Cc: nanog@merit.edu
In-Reply-To: <Pine.BSI.3.93.961006162245.619C-100000@sidhe.memra.com> from "Michael Dillon" at Oct 6, 96 04:22:55 pm
There are other analyses that can be performed if you have a tcpdump
(NOT etherfind) output log of the headers from an attack.
It's well worth a few tens of megabytes...
CERT and some of the people working on the SYN attacks can help if
you have such traces.
Avi
> Date: Sun, 6 Oct 1996 11:40:25 -0400
> From: Dave Van Allen <dave@fast.net>
> Reply-To: inet-access@earth.com
> To: "'inet-access@earth.com'" <inet-access@earth.com>
> Subject: RE: My First Denial of Service Attack.....
> Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT)
> Resent-From: inet-access@earth.com
>
> FYI, (if it has already been mentioned, please excuse the double post,
> but:)
>
> The latest version of the SYN attack code published in Phrack (last
> weeks edition, NOT last months) has an imbedded 'ping' ever several
> hundred SYN packets.
>
> If you get attacked, run snoop, tcpdump or anything that captures
> packets, and look for the pings - they have the real source address of
> the sender of the SYN flood attack.
>
> Please note, obviously the code can be modified to NOT ping, but our
> attacker last night did not do that, and we had the name of the user,
> their ISP, and other info in less than 15 minutes.
>
> Best regards,
> -
> Dave Van Allen - You Tools Corporation/FASTNET(tm)
> dave@fast.net (610)954-5910 http://www.fast.net
> FASTNET - PA/NJ/DE Business Internet Solutions
