From owner-freebsd-security Wed Dec 8 14:33: 0 1999 Delivered-To: freebsd-security@freebsd.org Received: from server.computeralt.com (server.computeralt.com [207.41.29.10]) by hub.freebsd.org (Postfix) with ESMTP id 306C715166 for ; Wed, 8 Dec 1999 14:32:53 -0800 (PST) (envelope-from scott@computeralt.com) Received: from scott (scott.computeralt.com [207.41.29.100]) by server.computeralt.com (8.9.3/8.9.1) with ESMTP id RAA13744 for ; Wed, 8 Dec 1999 17:32:47 -0500 (EST) Message-Id: <4.2.2.19991208172247.00aa6b40@mail.computeralt.com> X-Sender: scott@mail.computeralt.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 08 Dec 1999 17:32:46 -0500 To: freebsd-security@FreeBSD.ORG From: "Scott I. Remick" Subject: Re: What kind of attack is this? In-Reply-To: References: <4.2.2.19991208162315.00b5f4e0@mail.computeralt.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 05:02 PM 12/8/99 -0500, Robert Watson wrote: >This morning there were two posts about distributed attack tools on >bugtraq--does either of these sound like what you are experiencing? I actually saw those, and the thought crossed my mind. Only the Tribe one seems to involved packets with spoofed information. Plus, this sounds a bit too involved to be from the place that I'm suspecting, and we're really not that big to warrant all that effort :) It did seem like a large undertaking to set up a TFN, and it seems too new for us to be one of the first victims. I was figuring there was probably a very common attack that sent UDP packets that triggered ICMP replies in order to bog down a particular victim's system. >There's not much you can do about spoofed UDP attacks without significant >involvement of providers along the path back to the attacker, but with >distributed attack tools not using spoofing, it is feasible. Well, I'm next to positive that the source addresses are spoofed. There's just no rhyme nor reason to them, and they seem to come from all over creation. As it has stopped for now, I can't really observe anything new, but that was my recollection. I have a good relationship with the techs at our ISP so I know they'd be cooperative. I don't know how it'd go from there. I'd really like to call this attack by name if it has one, so we're all on the same page, and I can do more research on it. ----------------------- Scott I. Remick scott@computeralt.com Network and Information (802)388-7545 ext. 236 Systems Manager FAX:(802)388-3697 Computer Alternatives, Inc. http://www.computeralt.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message