Mike, Smurf attacks are malformed ICMP echo packets. They aren't directed to a particular port. You've got all the information there is :-)
Regards, Miguel Delapaz z/VM TCP/IP Development The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> wrote on 07/31/2008 07:40:23 AM: > [image removed] > > Re: DOS attack details in > > Mike Walter > > to: > > IBMVM > > 07/31/2008 07:42 AM > > Sent by: > > The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> > > Please respond to The IBM z/VM Operating System > > Dunno, I'm not an IP (or networking) Wizard, either. > Not sure what else might be able to be gathered, but at least TCPIP knows > what port was being attacked. Great minds will think of more. > Perhaps information for that IP address obtained from NETSTAT CONN? > Wizards will think of more. > > Anything else it could provide could be useful in tracking down the > offending attacker, and preparing them for a public hanging. ;-) > > Mike Walter > Hewitt Associates > Any opinions expressed herein are mine alone and do not necessarily > represent the opinions or policies of Hewitt Associates. > > > > > "Hughes, Jim" <[EMAIL PROTECTED]> > > Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > 07/31/2008 09:31 AM > Please respond to > "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > > > > To > IBMVM@LISTSERV.UARK.EDU > cc > > Subject > Re: DOS attack details in > > > > > > > I used the IP address to track down the offending MAC system. > > What other information would be available? Just curious. > > ____________________________ > Jim Hughes > 603-271-5586 > "Its kind of fun to do the impossible." (Walt Disney) > > > =>-----Original Message----- > =>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] > On > =>Behalf Of Mike Walter > =>Sent: Thursday, July 31, 2008 10:25 AM > =>To: IBMVM@LISTSERV.UARK.EDU > =>Subject: Re: DOS attack details in > => > =>Thanks, Jim, > => > =>The source of this one-time attack is less important than getting > clear > =>documentation about _who/what_ is doing the attack _when_ it happens. > =>I have no problem writing automation to gather the details no matter > how > =>many hoops I have to jump through - until I have to jump through what > I > =>then deem as "too many", at which point I'll whine about needing to > =>improve the diagnostic process flow! :-)~ > => > =>But getting the details when they are available (we have the luxury of > =>IPLing each Sunday night - and DO), and getting them to the "right > people" > =>nearer to the attack time: now IMHO, that's a worthy goal. > => > =>Mike Walter > =>Hewitt Associates > =>Any opinions expressed herein are mine alone and do not necessarily > =>represent the opinions or policies of Hewitt Associates. > => > => > => > =>"Hughes, Jim" <[EMAIL PROTECTED]> > => > =>Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > =>07/31/2008 09:05 AM > =>Please respond to > =>"The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > => > => > => > =>To > =>IBMVM@LISTSERV.UARK.EDU > =>cc > => > =>Subject > =>Re: DOS attack details in > => > => > => > => > => > => > =>We had this DOS attack and tracked it back to a MAC computer on the > =>network. It was doing some sort of broadcast network thing. I can > supply > =>the details if it's important to anyone. Not being a network wizard, I > =>tend to forget the details. > => > =>____________________________ > =>Jim Hughes > =>603-271-5586 > =>"Its kind of fun to do the impossible." (Walt Disney) > => > =>=>-----Original Message----- > =>=>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] > =>On > =>=>Behalf Of Mike Walter > =>=>Sent: Thursday, July 31, 2008 9:28 AM > =>=>To: IBMVM@LISTSERV.UARK.EDU > =>=>Subject: DOS attack details in > =>=> > =>=>Back on July 15, we experienced our first known Denial of Service > =>"attack" > =>=>(more likely a problem server). > =>=>I reported it to our Internet Security group including: > =>=> > =>=>From the nearly anonymous/invisible "TCPIP MESSAGE" file in > =>=>TCPMAINT's reader: > =>=>---<snip>---- > =>=>DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 > =>=>DTCUTI002E A denial-of-service attack has been detected > =>=>---<snip>--- > =>=> > =>=>Issued after the nearly anonymous/invisible "TCPIP MESSAGE" > =>file in > =>=>TCPMAINT's reader was accidentally discovered: > =>=>---<snip>--- > =>=>netstat dos > =>=>VM TCP/IP Netstat Level 510 > =>=> > =>=>Maximum Number of Half Open Connections: 512 > =>=> > =>=>Denial of service attacks: > =>=> Attacks Elapsed > =>=>Attack > =>=>Attack IP Address Detected Time > =>=>Duration > =>=>-------- --------------------------------------- --------- --------- > =>=>--------- > =>=>Smurf-IC 10.64.103.250 1 2:27:08 > =>=>0:00:00 > =>=>Ready; T=0.02/0.02 18:13:13 > =>=>---<snip>--- > =>=> > =>=>So I asked our Internet Security team who might be the offending > =>=>"10.64.103.250". In turn they asked me for the port number being > used > =>for > =>=>this attack, and the mac address of the attacking machine. > =>Unfortunately, > =>=>none of that is available after the attack (which was admirably and > =>=>automatically quashed by the z/VM TCPIP stack). > =>=> > =>=>Would it be possible to include more information in the nearly > =>=>anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's > reader", > =>=>including the port being used and the MAC address, and the other > =>=>information displayed by the NETSTAT DOS command? If the attack is > =>=>discovered after the next time the stack is restarted, NETSTAT DOS > =>doesn't > =>=>provide any information. Actually, I don't see any reason why all > that > =>=>information could not be logged to the TCPIP stack console itself - > as > =>a > =>=>single point of reference should an investigation be required later. > =>=> > =>=>BTW, the current release of VM:Operator loops (or otherwise fails to > =>ever > =>=>respond) when the NETSTAT command is issued, so we can't even issue > an > =>=>automated NETSTAT DOS command, trap the response, and try to gather > =>useful > =>=>information during the attack. > =>=> > =>=>Mike Walter > =>=>Hewitt Associates > =>=>Any opinions expressed herein are mine alone and do not necessarily > =>=>represent the opinions or policies of Hewitt Associates. > =>=> > =>=> > =>=> > =>=> > =>=>The information contained in this e-mail and any accompanying > =>documents > =>=>may contain information that is confidential or otherwise protected > =>from > =>=>disclosure. If you are not the intended recipient of this message, > or > =>if > =>=>this message has been addressed to you in error, please immediately > =>alert > =>=>the sender by reply e-mail and then delete this message, including > any > =>=>attachments. Any dissemination, distribution or other use of the > =>contents > =>=>of this message by anyone other than the intended recipient is > =>strictly > =>=>prohibited. All messages sent to and from this e-mail address may be > =>=>monitored as permitted by applicable law and regulations to ensure > =>=>compliance with our internal policies and to protect our business. > =>E-mails > =>=>are not secure and cannot be guaranteed to be error free as they can > =>be > =>=>intercepted, amended, lost or destroyed, or contain viruses. You are > =>=>deemed to have accepted these risks if you communicate with us by > =>e-mail. > => > => > => > => > => > => > => > =>The information contained in this e-mail and any accompanying > documents > =>may contain information that is confidential or otherwise protected > from > =>disclosure. If you are not the intended recipient of this message, or > if > =>this message has been addressed to you in error, please immediately > alert > =>the sender by reply e-mail and then delete this message, including any > =>attachments. Any dissemination, distribution or other use of the > contents > =>of this message by anyone other than the intended recipient is > strictly > =>prohibited. All messages sent to and from this e-mail address may be > =>monitored as permitted by applicable law and regulations to ensure > =>compliance with our internal policies and to protect our business. > E-mails > =>are not secure and cannot be guaranteed to be error free as they can > be > =>intercepted, amended, lost or destroyed, or contain viruses. You are > =>deemed to have accepted these risks if you communicate with us by > e-mail. > > > > > > > > The information contained in this e-mail and any accompanying > documents may contain information that is confidential or otherwise > protected from disclosure. If you are not the intended recipient of > this message, or if this message has been addressed to you in error, > please immediately alert the sender by reply e-mail and then delete > this message, including any attachments. Any dissemination, > distribution or other use of the contents of this message by anyone > other than the intended recipient is strictly prohibited. All > messages sent to and from this e-mail address may be monitored as > permitted by applicable law and regulations to ensure compliance > with our internal policies and to protect our business. E-mails are > not secure and cannot be guaranteed to be error free as they can be > intercepted, amended, lost or destroyed, or contain viruses. You are > deemed to have accepted these risks if you communicate with us by e-mail.