Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

DDoS attack

Old 07-08-04, 01:26 PM
  #1  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
DDoS attack

I feel so special... someone has selected my home network for a DoS attack.

My router sent me some interesting email today. In forward chronological order:

Jul/07/2004 17:35:22
TearDrop Attack Detect src:69.93.10.57:8224 dst:x.x.x.x:8224 Packet Dropped

Jul/07/2004 17:35:22
TearDrop Attack Detect src:69.93.10.57:27145 dst:x.x.x.x:1026 Packet Dropped

Jul/07/2004 17:35:27
SMTP: send mail succeed

Jul/07/2004 17:35:27
TearDrop Attack Detect src:69.93.10.57:8224 dst:x.x.x.x:8224 Packet Dropped

Jul/07/2004 17:35:27
TearDrop Attack Detect src:69.93.10.57:27145 dst:x.x.x.x:1026 Packet Dropped

Jul/07/2004 17:35:31
SMTP: send mail succeed

Jul/07/2004 18:10:23
TearDrop Attack Detect src:66.90.181.15:8224 dst:x.x.x.x:8224 Packet Dropped

Jul/07/2004 18:10:23
TearDrop Attack Detect src:66.90.181.15:15171 dst:x.x.x.x:1026 Packet Dropped

Jul/07/2004 18:10:29
TearDrop Attack Detect src:66.90.181.15:8224 dst:x.x.x.x:8224 Packet Dropped

Jul/07/2004 18:10:29
TearDrop Attack Detect src:66.90.181.15:15171 dst:x.x.x.x:1026 Packet Dropped

Jul/08/2004 08:55:34
Ping of Death Detect src:66.122.63.192:33128 dst:x.x.x.x:6881 Packet Dropped


The dst IP addresses are all my IP address. Fortunately, my ISP provides access via dynamic IP, so relogging might avoid further attacks.

The src IP addresses are as follows:
69.93.10.57 ............... translates to ............. 57.69-93-10.reverse.vipserver.ru
66.90.181.15 ............... translates to ............. 66-90-181-15.dyn.grandenetworks.net
66.122.63.192 ............... translates to ............. adsl-66-122-63.192.dsl.sntc01.pacbell.net

Looks like a DDoS, or distributed attempt to find a security hole and take over machines on the network.

What should I do?

- David Stein

Last edited by sfsdfd; 07-08-04 at 06:00 PM.
Old 07-08-04, 10:13 PM
  #2  
Mod Emeritus
 
Join Date: Feb 1999
Location: Gone to the islands - 'til we meet again.
Posts: 19,053
Likes: 0
Received 0 Likes on 0 Posts
Re: DDoS attack

Originally posted by sfsdfd
What should I do?

- David Stein

Well, what did you expect after using CS and CIS as though they were the same thing?


Seriously, I'd go ahead and send an E-Mail to the technical contact for each of those domains. Odds are the owners have no idea what's going on, but maybe the providers will contact the owners or disallow the systems from the network.

Other than that, as long as it's not interfering with access, I probably wouldn't worry about it.

Who the heck tries the Ping Of Death these days anyway???
Old 07-08-04, 11:37 PM
  #3  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
Re: Re: DDoS attack

Originally posted by Dead
Well, what did you expect after using CS and CIS as though they were the same thing?
Yes, take a cheap jab in response to a plea for help. Thanks a lot.
Originally posted by Dead
I'd go ahead and send an E-Mail to the technical contact for each of those domains. Odds are the owners have no idea what's going on, but maybe the providers will contact the owners or disallow the systems from the network.
Yup, I'm assuming they're zombie machines looking to expand the hoard.
Originally posted by Dead
Who the heck tries the Ping Of Death these days anyway???
Both kinds of attacks seem way outdated. My concern is that their antiquity is the reason my router knows how to best them and notify me. That is - if the same attackers are using different attacks that are getting through my router, how would I know?

One tactic I'm employing: bandwidth metering - if I start getting a large jump in bandwidth from the sole machine still up on that network, I'll know something odd is happening.

- David Stein
Old 07-09-04, 08:57 AM
  #4  
Mod Emeritus
 
Join Date: Feb 1999
Location: Gone to the islands - 'til we meet again.
Posts: 19,053
Likes: 0
Received 0 Likes on 0 Posts
Re: Re: Re: DDoS attack

Originally posted by sfsdfd
Both kinds of attacks seem way outdated. My concern is that their antiquity is the reason my router knows how to best them and notify me. That is - if the same attackers are using different attacks that are getting through my router, how would I know?

If your router can log connections, you may be able to tell if other traffic is coming in that shouldn't be. Reading the logs might be a pain though. If you're concerned enough, you could setup an IDS on or infront of the box to monitor the activity coming through the router.
Old 07-09-04, 01:38 PM
  #5  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
Newest zombie knockin' on my door:

Jul/09/2004 11:45:41
TearDrop Attack Detect src:80.137.33.177:6881 dst:x.x.x.x:61466 Packet Dropped

IP lookup translates to p508921B1.dip.t-dialin.net, which translates to some foreign dialup service. Heh. Yes, it appears that someone is now attacking my cable modem network through their 57.6k (or less) dialup connection.

This is kinda fun, from a forensic point of view. I've heard lots of stories about people finding their networks rooted and pwned. Having never been attacked before, I've always wondered how well my network might hold up and how I'd detect it. Well, I now have the chance to find out... and with little risk of harm, since my attacker appears to be a complete idiot!

- David Stein
Old 07-09-04, 01:45 PM
  #6  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
Re: Re: Re: Re: DDoS attack

Originally posted by Dead
If you're concerned enough, you could setup an IDS on or infront of the box to monitor the activity coming through the router.
I'm considering that - just for added forensics. Is Snort any good?

- David Stein
Old 07-09-04, 02:33 PM
  #7  
DVD Talk Hall of Fame
 
Join Date: Jan 2000
Location: US
Posts: 9,631
Likes: 0
Received 0 Likes on 0 Posts
justin could probably give you more info on snort, but it's a good tool, assuming you can determine what the flood of information is telling you. I've played with snort a few times, using the ACID console on a standalone box, and also on the integrated snort in my firewall. Interesting to see the big picture, but I don't know enough about it to really know what it is telling me...

dave
Old 07-09-04, 02:58 PM
  #8  
DVD Talk Legend
Thread Starter
 
Join Date: Oct 1999
Location: |-|@><0r [email protected]|)
Posts: 17,214
Likes: 0
Received 0 Likes on 0 Posts
Originally posted by Dave99
Interesting to see the big picture, but I don't know enough about it to really know what it is telling me...
I had the same impression about ZoneAlarm. It pestered me endlessly about programs accessing the net, and inexplicably denied access to IE for a while. Rather than spend half of my life interpreting its output, I just uninstalled it.

- David Stein
Old 07-09-04, 03:56 PM
  #9  
Mod Emeritus
 
Join Date: Feb 1999
Location: Gone to the islands - 'til we meet again.
Posts: 19,053
Likes: 0
Received 0 Likes on 0 Posts
Re: Re: Re: Re: Re: DDoS attack

Originally posted by sfsdfd
I'm considering that - just for added forensics. Is Snort any good?

- David Stein

I like Snort. I've heard the the Acid console that Dave mentioned is very nice, but haven't ever used it myself. I've got a Linux firewall running Snort and the firewall has an integrated tool that lets me review what Snort has detected. It can become overwhelming to dig through though, but if it's on the inside of your router that should eliminate a good portion of the reports.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.