North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: My First Denial of Service Attack..... (fwd)
There are other analyses that can be performed if you have a tcpdump (NOT etherfind) output log of the headers from an attack. It's well worth a few tens of megabytes... CERT and some of the people working on the SYN attacks can help if you have such traces. Avi > Date: Sun, 6 Oct 1996 11:40:25 -0400 > From: Dave Van Allen <[email protected]> > Reply-To: [email protected] > To: "'[email protected]'" <[email protected]> > Subject: RE: My First Denial of Service Attack..... > Resent-Date: Sun, 6 Oct 1996 09:38:04 -0600 (MDT) > Resent-From: [email protected] > > FYI, (if it has already been mentioned, please excuse the double post, > but:) > > The latest version of the SYN attack code published in Phrack (last > weeks edition, NOT last months) has an imbedded 'ping' ever several > hundred SYN packets. > > If you get attacked, run snoop, tcpdump or anything that captures > packets, and look for the pings - they have the real source address of > the sender of the SYN flood attack. > > Please note, obviously the code can be modified to NOT ping, but our > attacker last night did not do that, and we had the name of the user, > their ISP, and other info in less than 15 minutes. > > Best regards, > - > Dave Van Allen - You Tools Corporation/FASTNET(tm) > [email protected] (610)954-5910 http://www.fast.net > FASTNET - PA/NJ/DE Business Internet Solutions - - - - - - - - - - - - - - - - -
|