RE: [FW1] Urgent. I'm under attack

Tue, 01 Aug 2000 13:45:40 -0700 


-----BEGIN PGP SIGNED MESSAGE-----

Hard not to agree with what's said here. IRC servers always get
attacked. (Jimmie doesn't like what Johny said, so he floods the
server.)

The other thing you want to be sure you're not getting is something
like TFN or trinoo running from within your own network. If the irc
server you are referring to is not yours, then you are likely being
used to attack it. 

Cheers,
Craig Skelton
/*
 ______        _     _                                   
(____  \      (_)   | |                                  
 ____)  ) ____ _  _ | | ____  ____  ___  ____ ___  ____  
|  __  ( / ___) |/ || |/ _  |/ _  )/___)/ ___) _ \|    \ 
| |__)  ) |   | ( (_| ( ( | ( (/ /|___ ( (__| |_| | | | |
|______/|_|   |_|\____|\_|| |\____|___(_)____)___/|_|_|_|
                      (_____|                            

*/

- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
Cedric Amand
Sent: August 1, 2000 12:32 PM
To: Dirk Boenning
Cc: 'Firewall-1 Mailing list'
Subject: Re: [FW1] Urgent. I'm under attack



Hello Dirk,

DB> till a couple of minutes I'm under an attack. I never have seen
this
DB> behaviour.

First of all, a free tip ; if you don't want to be put out of
business, just do not run an IRC (ircnet) server.

You're begging for beeing attacked by running one.
You've got to know, and to deal, with that.

IRCNet is dying as many companies are fed up with loosing uptime
because of it. If find this attitude ridiculous as I prefer wasting
uptime for attack targetted at a known host running a completely
unsupported service with no SLA whatsoever, rather than one day
loosing hours of uptime for an attack really targetted at our
entire service an having the company discovering these kind of
attacks for the first time ;)


DB> I have round 'bout 50000 active connections. The Destination for
all
DB> of these connections is irc.arnes.si (193.2.1.34). The Source is
an 
DB> internal IP. The internal IP is not one specific IP it's changing
all
DB> over
DB> the whole subnet, even if no machine is assigned to this IP. But
not
DB> even the
DB> IP's cycle through all values the ports do also.

If you've got 50000 "connections" it means TCP for me, and then
these connections are not spoofed.
Since an unspoofed connection could hardly come from a non existant
host, there is something wrong with what you're saying.
So these are rather packets, but certainly not connections.

What you're seeing is probably a bunch of spoofed UDP packets
combined
with an ACK flood, which is known as a flood network. Could be TFN,
Trinoo, or whatever. It's doesn't matter actually.

IIRC, TFN(2K?) uses spoofed IPs in its neighborhoud by default.
So it send packets from a pseudo "C-class" around the actual source
IP.

So it could indeed mean that someone from your own network if
attacking your server. I find this unlikely tough, you could easily
see that in your bandwidth logs.


DB> I'm sure that IP spoofing is correct configured. The all over
system
DB> works since 2 years.

Uptime is not a way of measuring quality. Unix systems with years of
uptime make me laugh, as it means they've been unpatched for years.


DB> Any idea how to stop, what to change ??

You did not identify the target. Its not the server, its the pipe.
Whatever your security is, you've got little means of defense against
attack targetted at your bandwidth, which are the most common
ones to unlink an IRC server from the network.

There is nothing to do except routing to null0 the spoofed packets
*before* they reach your network.




======================================================================
==========
     To unsubscribe from this mailing list, please see the
instructions at
               http://www.checkpoint.com/services/mailing.html
======================================================================
==========

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQEVAwUBOYc2WCjIATDQrD6XAQGLjAf/eKbgQmqBh1MC9huioj91dkgjVpy0xQsG
8+z0+CPRhB07UIDtohC25YJ+kPEvFd4u5Uzkf7BQG9RbCAcgyh8G1mc+OnSDDKWD
qQk6m83YFPOU9SMH9MBU9PTSDtUEvL0X2jDLFfN+4uUWkizmK4uU+OOP1Wvu/JWE
UR9YIbhLWe6c/EV9glncsf5iNun3IjQTZTTUU7MWPQ3MYom95r/DPa/jsiC909K5
u8gsN73lRkJ1SJ/rDQ9GHbj2v6nCkHITHl6fmcUMyttsQDsRx7LepW031Ri9+rCe
QvdwQRydEVhPf7rUncc11gXXJJ8I5dL3Slfs4ghDyTQlquYhxVykJQ==
=sVyk
-----END PGP SIGNATURE-----



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to