From owner-freebsd-hackers  Tue Jan  7 18:53:48 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B153F37B401
	for <hackers@FreeBSD.ORG>; Tue,  7 Jan 2003 18:53:47 -0800 (PST)
Received: from 002.216-123-229-0.interbaun.com (002.216-123-229-0.interbaun.com [216.123.229.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2322643ED8
	for <hackers@FreeBSD.ORG>; Tue,  7 Jan 2003 18:53:46 -0800 (PST)
	(envelope-from soralx@cydem.zp.ua)
Received: from 128.216-123-229-0.interbaun.com ([192.168.0.224])
	by 002.216-123-229-0.interbaun.com (8.11.6/8.11.6) with ESMTP id h082rir01399
	for <hackers@FreeBSD.ORG>; Tue, 7 Jan 2003 19:53:44 -0700 (MST)
	(envelope-from soralx@cydem.zp.ua)
Content-Type: text/plain;
  charset="iso-8859-1"
From: <soralx@cydem.zp.ua>
To: hackers@FreeBSD.ORG
Subject: Re: DDoS attacks, packets captured ... not sure what to do.
Date: Tue, 7 Jan 2003 19:53:01 -0700
X-Mailer: KMail [version 1.4]
References: <20030105145150.N80512-100000@mail.econolodgetulsa.com> <200301060021.39502.soralx@cydem.zp.ua> <3E19D613.84622ADE@mindspring.com>
In-Reply-To: <3E19D613.84622ADE@mindspring.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <200301071953.01935.soralx@cydem.zp.ua>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

> Knowing his IP address is useless, if it's a denial of service,
> unless you have a peering agreement with his NSP/ISP, and/or are
> within driving distance, and own a shotgun.

That is what I'm talking about. :) And I think that the attaker
lives not so far from him, since you need to have very good
Inet to send thousands pps.

> > BTW, what were the UDP packets for? Scanning?
> Otherwise, they might have been a Linux NFS over UDP client
> (same thing, really), or some other attack (e.g. attempted DNS
> poisoning, etc.).

no - he says that the packets are sent to random ports

So, watch and try to get the real IP 8)

07.01.2003; 19:42:31
[SorAlx]  http://cydem.zp.ua/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message