[769] in resnet
Re: DDoS attacks and zombies
daemon@ATHENA.MIT.EDU (Patric)
Tue Feb 5 06:22:05 2002
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <3.0.32.20020205060428.0068e308@polaris.umpi.maine.edu>
Date: Tue, 5 Feb 2002 06:04:31 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Patric <edwardp@POLARIS.UMPI.MAINE.EDU>
To: RESNET-L@listserv.nd.edu
the following link has a fairly comprehensive report on what was done under
similar circumstances. even if it is not of much use in this specific case,
it is a good read
http://grc.com/dos/grcdos.htm
or in pdf @
http://media.grc.com/files/grcdos.pdf
patric
At 10:07 PM 2/4/02 -0500, you wrote:
>Recently, we had 2 DDoS attacks on campus and found a few computers on
>campus were performing the attacks. We got hold of 3 computers. They
>don't really have virus or Trojans. After a closer look, the computers are
>"bots" controlled by a certain mIRC channel (I rather not say which here but
>you can email me later for more info.) I got on the channel and see many of
>other .edu ResNet computers (possibly yours too) all victims. So, this
>channel has literally thousands of ips at the operators' disposal to use for
>DDoS attacks, etc.,
>
>Questions:
>
>1. If you have the experience, please share how I should proceed next to
>break this malicious operation.
>
>2. The scripts and server files are big - over 1.5Mb. Do you know how were
>they got installed on the computer? One of the owners said she just got
>the computer in September. She has updated virus software and claimed never
>download anything. She doesn't use any p2p software. The files were all
>identical in 3 computers and all installed in the same directory.
>
>Thanks.
>Wendy Shih
>
>___________________________________________________
>You are subscribed to the ResNet-L mailing list.
>
>To subscribe, unsubscribe or search the archives,
>go to http://LISTSERV.ND.EDU/archives/resnet-l.html
>___________________________________________________
>
***************************************************
Patric Edward
email: patric@maine.rr.com
http://www.umpi.maine.edu/~edwardp/
******sunlight is the best disinfectant...*********
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________