[734] in Intrusion Detection Systems
Re: c4i-pro Denial-of-service at panix
daemon@ATHENA.MIT.EDU (darkpoet)
Wed Sep 18 04:45:52 1996
From: "darkpoet" <brianc@telepath.com>
To: <ids@uow.edu.au>
Date: Mon, 16 Sep 1996 00:05:14 -0500
Reply-To: ids@uow.edu.au
> Don McGregor <mcgredo@stl.nps.navy.mil>
> It seems that panix, a New York internet service provider, is undergoing
> a denial-of service attack.
> The writeup for the masses is at
>
http://www.washingtonpost.com/wp-srv/WPlate/1996-09/12/156L-091296-idx.html
> The technical details are at
> http://www.fc.net/phrack/files/p48/p48-14.html
> The attack described in the phrack article is actually much more
> sophisticated than that apparently used by the panix attacker.
> The panix guy is apparently only using the denial-of-service
> portion, rather than the full-on IP spoofing approach described
> by daemon9, of which denial-of-service is one part.
> frank swift (510) 422-1463 uncl@llnl.gov (510) 423-0913 fax
> Key fingerprint = 1A 14 02 5A 76 B2 BD 47 C0 3E ED 9A C5 3B 81 2D
funny you mention something like this.. i just got the new 2600 off the
newstand, and it has a flood program in it. it's a linux program, using ip
spoofing, it totally makes it impossible to get on the host machine from
the net. it sends a SYN packet to a port, gets the SYN/ACK back, but since
the source address for the SYN packets does not exist, but has a path to it
in place, that SYN/ACK will never be answered, and the port will wait
forever for that packet(or until it times out). i have the complete source
code, and i'll see about getting it posted. or you can look at
http://www.2600.com. it's a scary program... but i'm sure there are ways
around it.
brianc@telepath.com
ceo, darkened horizons, ltd.
network/internet security consulting/technical support
