Attack on Iraq [7:65805]

[John Brandis]

All,
 
I all wish you the best of luck, and I hope that you and your families will
be safe. I have no doubt that we will have to deal with troublesome
situations, of which I hope none of you get caught up in.
 
Best Wishs and hope you are all OK through this.
 
John
 


**

This email message (and attachments) may contain information that is
confidential to Solution 6. If you are not the intended recipient you cannot
use, distribute or copy the message or attachments.  In such a case, please
notify the sender by return email immediately and erase all copies of the
message and attachments.  Opinions, conclusions and other information in
this message and attachments that do not relate to the official business of
Solution 6 are neither given nor endorsed by it.

*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65805&t=65805
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Urgent Help !! How to check who's always attack my firewall [7:64088]

[Packet]

You are looking to do a DNS look-up.

Example:

DNS lookup command issued. Waiting for reply...
Office host name: w14.www.dcn.yahoo.com
Internet address: 216.109.125.67
DNS lookup command completed.

If the DNS look-up does not work, look in to finding
someone with SolarWinds software.  (Solarwinds.com)

Hope that this helped.


= = = Original message = = =

Dear All,

I believe some one always try hacking my private
network,
I got the ip address and how am I check who they are?

Please help...!! Thanks

Rgds,
Steiven
[EMAIL PROTECTED]

___
Sent by ePrompter, the premier email notification
software.
Free download at http://www.ePrompter.com.

__
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64088&t=64088
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Urgent Help !! How to check who's always attack my firewall [7:64085]

[John Neiberger]

>Dear All,
>
>I believe some one always try hacking my private network,
>I got the ip address and how am I check who they are?
>
>Please help...!! Thanks
>
>Rgds,
>Steiven

If they're being blocked at your firewall it may best to just leave
them alone.  I don't know if it's very helpful to try to track hackers
down.  Besides, you might not be seeing the true source IP address, but
I suppose that depends on the particular attack they were attempting.

If you're curious, you can go to www.arin.net/whois and enter the IP
address.  That will return information regarding the administrator and
'owner' of that netblock.  If you really decide that it's necessary, you
could contact the administrator listed on that page, assuming that
information is even correct.

I'd suggest that since you're aware of them it's not going to do much
good to pursue them.  On the other hand, that depends on the nature of
their attacks and the nature of the information you're trying to
secure.

John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64085&t=64085
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Urgent Help !! How to check who's always attack my firewall [7:64084]

[Abiodun Oduyemi]

Finally a question i can help with...

goto http://www.uwhois.com

regards,

odus





Original Message Follows
From: "Steiven Poh-\(Jaring MailBox\)" 
Reply-To: "Steiven Poh-\(Jaring MailBox\)" 
To: [EMAIL PROTECTED]
Subject: Urgent Help !! How to check who's always attack my firewall 
[7:64064]
Date: Fri, 28 Feb 2003 11:35:41 GMT

Dear All,

I believe some one always try hacking my private network,
I got the ip address and how am I check who they are?

Please help...!! Thanks

Rgds,
Steiven
_
Express yourself with cool emoticons http://messenger.msn.co.uk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64084&t=64084
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Urgent Help !! How to check who's always attack my firewall [7:64073]

[cebuano]

Go to ARIN.net. If it's outside North America, it will refer you.
Remember that IP address can be SPOOFED.

HTH,
Elmer

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Steiven Poh-(Jaring MailBox)
Sent: Friday, February 28, 2003 6:36 AM
To: [EMAIL PROTECTED]
Subject: Urgent Help !! How to check who's always attack my firewall
[7:64064]

Dear All,

I believe some one always try hacking my private network,
I got the ip address and how am I check who they are?

Please help...!! Thanks

Rgds,
Steiven




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64073&t=64073
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Urgent Help !! How to check who's always attack my firewall [7:64068]

[Router Kid]

Try NSLOOKUP and WHOIS query . It will tell you either a costumer info or a
Service provider Block. If it tells you about
Service provider then you should contact this provider and send them a log,
let them know that one of there customer trying to hack into your network.
They will definitely take action.

use this link.

http://www.all-nettools.com/tools1.htm




""Steiven Poh-(Jaring MailBox)""  wrote in message
news:[EMAIL PROTECTED]
> Dear All,
>
> I believe some one always try hacking my private network,
> I got the ip address and how am I check who they are?
>
> Please help...!! Thanks
>
> Rgds,
> Steiven




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64068&t=64068
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Urgent Help !! How to check who's always attack my firewall [7:64063]

[Steiven Poh-\(Jaring MailBox\)]

Dear All,

I believe some one always try hacking my private network,
I got the ip address and how am I check who they are?

Please help...!! Thanks

Rgds,
Steiven




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64063&t=64063
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Urgent Help !! How to check who's always attack my firewall [7:64064]

[Steiven Poh-\(Jaring MailBox\)]

Dear All,

I believe some one always try hacking my private network,
I got the ip address and how am I check who they are?

Please help...!! Thanks

Rgds,
Steiven




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64064&t=64064
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[The Long and Winding Road]

""Geoff Zinderdine""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > to bring this back into the Cisco realm, Cisco NBAR ( network based
> > application recognition ) I believe was intended to provide another
> > dimension to the QoS classification process. now it can also be used as
a
> > filter against certain virus / macro virus attacks.
>
> NBAR thus far does a poor job of what products like Radware and Fortigate
do
> very well.  Network-based virus screening implemented in ASIC is a very
> exciting development, in my opinion.  Fortinet can do it fast enough on
some
> of their boxes for the provider edge.  NBAR is perhaps better than
nothing,
> but it is neither sophisticated enough nor granular enough to do much.  I
> really hope more providers start adopting these technologies.  It will
save
> us all allot of grief.


you know Geoff, you are absolutely right. this is true with many
technologies. I work in sales, and I see product announcements and attend
various vendor educational webcasts regularly. Then I think about questions
on this newsgroup - how do I get my PIX to do this, how do I get my router
to do that, and all I can think is that there are many vender alternatives
that are far superior to trying to make a Cisco router or a Cisco PIX do any
number of things that slow down the processing and then do the job less
effectively anyway. Products like QoSWorks and NetVMG are first rate.
Unfortunately, the small to medium city, county, school district, and
medical organizations I cover usually cannot afford many of these products.
Plus the telco I work for believes ( like any telco ) that we should be
pushing more bandwidth. Programs like e-rate seem to have changed a lot of
the dynamic as well. And the Cisco account teams are very good at getting
into these places and convincing staff IT people ( who are not necessarily
the best and the brightest in the markets I cover - not with what they are
paid ) that the Cisco product line is the answer to every problem. Can't
complain, though. I make a decent living selling Cisco too. :->



>
> Geoff Zinderdine
> CCIE #10410




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60294&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[Geoff Zinderdine]

> to bring this back into the Cisco realm, Cisco NBAR ( network based
> application recognition ) I believe was intended to provide another
> dimension to the QoS classification process. now it can also be used as a
> filter against certain virus / macro virus attacks.

NBAR thus far does a poor job of what products like Radware and Fortigate do
very well.  Network-based virus screening implemented in ASIC is a very
exciting development, in my opinion.  Fortinet can do it fast enough on some
of their boxes for the provider edge.  NBAR is perhaps better than nothing,
but it is neither sophisticated enough nor granular enough to do much.  I
really hope more providers start adopting these technologies.  It will save
us all allot of grief.

Geoff Zinderdine
CCIE #10410




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60288&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[The Long and Winding Road]

maybe we can get nfr to weigh in here, and this thread can perpetuate itself
at least as long as the Cert versus Degree thread :->


""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The Long and Winding Road wrote:
> >
> > ""Priscilla Oppenheimer""  wrote in
> >>
> >
> > > Bill Gates and Steve Jobs are very smart people, but when
> > they champion
> > > software that thinks it's smarter than the user, most users
> > just get
> > > annoyed. ;-)
> >
> >
> > I disagree with your implication here.
>
> You didn't understand my implication.
>
> > The whole point of the
> > PC revolution
> > was to make computing easy for the end user. I think apple and
> > eventually
> > mircrosoft have done wonderful things in that respect.
>
> I'm not talking about computers being easy to use; I'm talking about
> artificial intelligence and expert systems. I'm talking about spam filters
> that learn what you consider spam, for example. Both Mac OS and Microsoft
> have a lot of this type of software built into their operating systems and
> applications. In some cases it works well. For example, I think the
> Microsoft Word spell checker is a beautiful piece of software unparalleled
> by any other spell checker I've used. What makes it superior is that it
> learns about the current user. But I think Internet Explorer deciding that
> it should hijack your ability to play video or music is awful. It decides
to
> do things on its own, sometimes without user input. That's not a great
> example, but if I gave it more thought I could come up with lots of cases
> where Microsoft (and Apple) software does things behind your back, in some
> cases because expert-system-type software is making decisions without your
> input.
>
> Sorry that this is way O/T and even off-topic from what we were discussing
> and not really related to the off-topic point you are trying to make about
> unintended consequences. :-)
>
> Priscilla
>
>
> > however,
> > as with
> > anything else, the law of unintended consequences comes into
> > play. they made
> > it easy for businesses to develope templates to make employees
> > more
> > effective in their work. the unintended consequence is they
> > made it easy for
> > malicious people to use those tools to create maco viruses.
> > they made it
> > easy for you and I to send dfocumnets or pictures to our
> > friends and
> > relatives, and for those people to pen the docs and see the
> > content. the
> > unintended consequence is that they made it easy for malicious
> > people to
> > spread their wickedness.
> >
> > to bring this back into the Cisco realm, Cisco NBAR ( network
> > based
> > application recognition ) I believe was intended to provide
> > another
> > dimension to the QoS classification process. now it can also be
> > used as a
> > filter against certain virus / macro virus attacks.
> >
> >
> > >
> > > Priscilla
> > >
> > >
> > > Howard C. Berkowitz wrote:
> > > >
> > > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> > > > >Hopefully you trained her not to open attachemnts in the
> > > > future unless she
> > > > >knows the sender and is expecting an attachment from that
> > > > sender. It's an
> > > > >obvious point, but nobody had brought it up yet! :-)
> > > > >
> > > > >Priscilla
> > > >
> > > > May all such attackers get a personalized virus.  There's a
> > > > wide
> > > > range of choices of gastrointestinal ones.  Somehow, such
> > > > people
> > > > remind me of a baby's alimentary tract: a loud voice at one
> > end
> > > > and
> > > > no sense of responsibility at the other.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60249&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[Priscilla Oppenheimer]

The Long and Winding Road wrote:
> 
> ""Priscilla Oppenheimer""  wrote in
>> 
> 
> > Bill Gates and Steve Jobs are very smart people, but when
> they champion
> > software that thinks it's smarter than the user, most users
> just get
> > annoyed. ;-)
> 
> 
> I disagree with your implication here. 

You didn't understand my implication.

> The whole point of the
> PC revolution
> was to make computing easy for the end user. I think apple and
> eventually
> mircrosoft have done wonderful things in that respect. 

I'm not talking about computers being easy to use; I'm talking about
artificial intelligence and expert systems. I'm talking about spam filters
that learn what you consider spam, for example. Both Mac OS and Microsoft
have a lot of this type of software built into their operating systems and
applications. In some cases it works well. For example, I think the
Microsoft Word spell checker is a beautiful piece of software unparalleled
by any other spell checker I've used. What makes it superior is that it
learns about the current user. But I think Internet Explorer deciding that
it should hijack your ability to play video or music is awful. It decides to
do things on its own, sometimes without user input. That's not a great
example, but if I gave it more thought I could come up with lots of cases
where Microsoft (and Apple) software does things behind your back, in some
cases because expert-system-type software is making decisions without your
input.

Sorry that this is way O/T and even off-topic from what we were discussing
and not really related to the off-topic point you are trying to make about
unintended consequences. :-)

Priscilla


> however,
> as with
> anything else, the law of unintended consequences comes into
> play. they made
> it easy for businesses to develope templates to make employees
> more
> effective in their work. the unintended consequence is they
> made it easy for
> malicious people to use those tools to create maco viruses.
> they made it
> easy for you and I to send dfocumnets or pictures to our
> friends and
> relatives, and for those people to pen the docs and see the
> content. the
> unintended consequence is that they made it easy for malicious
> people to
> spread their wickedness.
> 
> to bring this back into the Cisco realm, Cisco NBAR ( network
> based
> application recognition ) I believe was intended to provide
> another
> dimension to the QoS classification process. now it can also be
> used as a
> filter against certain virus / macro virus attacks.
> 
> 
> >
> > Priscilla
> >
> >
> > Howard C. Berkowitz wrote:
> > >
> > > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> > > >Hopefully you trained her not to open attachemnts in the
> > > future unless she
> > > >knows the sender and is expecting an attachment from that
> > > sender. It's an
> > > >obvious point, but nobody had brought it up yet! :-)
> > > >
> > > >Priscilla
> > >
> > > May all such attackers get a personalized virus.  There's a
> > > wide
> > > range of choices of gastrointestinal ones.  Somehow, such
> > > people
> > > remind me of a baby's alimentary tract: a loud voice at one
> end
> > > and
> > > no sense of responsibility at the other.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60243&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[The Long and Winding Road]

""Priscilla Oppenheimer""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> This discussion could tie into the "New Technologies" thread! Technologies
> that do a better job of protecting users from viruses could be big. And an
> even harder problem is protecing us from spam. None of the solutions to
that
> problem work very well yet. The do-gooders that black-list e-mail servers
do
> more harm than good. The mail applications that try to apply artificial
> intelligence to the problem show some promise, but don't work very well
yet.


the fundamental problem is determining what is spam and what is not. today's
approach is one of examining content, matching keywords against "spam"
words. for example "mortgage" or "enlarge" or the many variants that would
lead one to p..o..r..n sites.

as an aside, when warned that Groupstudy was the source of so much spam, I
set up a special e-mail address that is advertised only to Groupstudy. I
have yet ( knock on wood ) to receive a single spam message on that account.
On the other hand, my primary account is now getting tons of spam, and I am
now convinced this is the direct result of my using that e-mail address as
the contact point for my web domain. forget hotmail. the folks there have
demonstrated no interest at all in solving the spam problem. yahoo mail does
a far better job of spam filtering. I have also notied that every ISP I have
ever contacted about spam claims that the headers are forged, and that the
spam did not originate from their servers. I still say the "solution" is to
charge 10 cents for every e-mail sent out over a certain threshold - say
2000 per month. ISP people I have talked to about this say this would be
impossible to track and enforce. so in the end, it is left to the recipient
to do all the work.


> Bill Gates and Steve Jobs are very smart people, but when they champion
> software that thinks it's smarter than the user, most users just get
> annoyed. ;-)


I disagree with your implication here. The whole point of the PC revolution
was to make computing easy for the end user. I think apple and eventually
mircrosoft have done wonderful things in that respect. however, as with
anything else, the law of unintended consequences comes into play. they made
it easy for businesses to develope templates to make employees more
effective in their work. the unintended consequence is they made it easy for
malicious people to use those tools to create maco viruses. they made it
easy for you and I to send dfocumnets or pictures to our friends and
relatives, and for those people to pen the docs and see the content. the
unintended consequence is that they made it easy for malicious people to
spread their wickedness.

to bring this back into the Cisco realm, Cisco NBAR ( network based
application recognition ) I believe was intended to provide another
dimension to the QoS classification process. now it can also be used as a
filter against certain virus / macro virus attacks.


>
> Priscilla
>
>
> Howard C. Berkowitz wrote:
> >
> > At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> > >Hopefully you trained her not to open attachemnts in the
> > future unless she
> > >knows the sender and is expecting an attachment from that
> > sender. It's an
> > >obvious point, but nobody had brought it up yet! :-)
> > >
> > >Priscilla
> >
> > May all such attackers get a personalized virus.  There's a
> > wide
> > range of choices of gastrointestinal ones.  Somehow, such
> > people
> > remind me of a baby's alimentary tract: a loud voice at one end
> > and
> > no sense of responsibility at the other.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60233&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

[Priscilla Oppenheimer]

This discussion could tie into the "New Technologies" thread! Technologies
that do a better job of protecting users from viruses could be big. And an
even harder problem is protecing us from spam. None of the solutions to that
problem work very well yet. The do-gooders that black-list e-mail servers do
more harm than good. The mail applications that try to apply artificial
intelligence to the problem show some promise, but don't work very well yet.
Bill Gates and Steve Jobs are very smart people, but when they champion
software that thinks it's smarter than the user, most users just get
annoyed. ;-)

Priscilla


Howard C. Berkowitz wrote:
> 
> At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
> >Hopefully you trained her not to open attachemnts in the
> future unless she
> >knows the sender and is expecting an attachment from that
> sender. It's an
> >obvious point, but nobody had brought it up yet! :-)
> >
> >Priscilla
> 
> May all such attackers get a personalized virus.  There's a
> wide
> range of choices of gastrointestinal ones.  Somehow, such
> people
> remind me of a baby's alimentary tract: a loud voice at one end
> and
> no sense of responsibility at the other.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60229&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

[Howard C. Berkowitz]

At 6:09 PM + 1/3/03, Priscilla Oppenheimer wrote:
>Hopefully you trained her not to open attachemnts in the future unless she
>knows the sender and is expecting an attachment from that sender. It's an
>obvious point, but nobody had brought it up yet! :-)
>
>Priscilla

May all such attackers get a personalized virus.  There's a wide 
range of choices of gastrointestinal ones.  Somehow, such people 
remind me of a baby's alimentary tract: a loud voice at one end and 
no sense of responsibility at the other.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60227&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

[Priscilla Oppenheimer]

Hopefully you trained her not to open attachemnts in the future unless she
knows the sender and is expecting an attachment from that sender. It's an
obvious point, but nobody had brought it up yet! :-)

Priscilla

Richard Campbell wrote:
> 
> Below is original E-mail, and attachment file is Love.scr
> 
> >From: Lovers Screensavers
> >To: [EMAIL PROTECTED]
> >Subject: Free Screenavers of Love
> >Date: Wed,01 Jan 2003 00:53:38 PM
> >Attachment: Love.scr
> Hello,
> The attached product is send as a part of our official campaign
> for the popularity of our product.
> You have been chosen to try a free fully functional sample of
> our
> product.If you are satified then you can send it to your
> friends.
> All you have to do is to install the software and register an
> account
> with us using the links provided in the software. Then send
> this software
> to your friends using your account ID and for each person who
> registers
> with us through your account, we will pay you $1.5.Once your
> account reaches
> the limit of $50, your payment will be send to your
> registration address by
> check or draft.
> 
> Please note that the registration process is completely free
> which means
> by participating in this program you will only gain without
> loosing
> anything.
> 
> Best Regards,
> Admin,
>
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
> 
> Besides, the "Hacker" also send her a mail from this e-mail
> address
> 
> >From: [EMAIL PROTECTED]
> >To: [EMAIL PROTECTED]
> >Subject: Visit us
> >Date: Tue,31 Dec 2002 23:25:58 PM
>
#
> Below is what happen when she installed the screen saver.. Any
> suggestion
> for me??
> 
> yes...when i download that file fr hotmail...it has been
> scanned . but no
> virus is detected. then i download and put in my System folder
> in my Window
> folder. as screen saver will only can run after save into the
> System folder.
> so after i save it in the folder and install itit has shown
> in my screen
> saver - Desktop display..but nothing show..means no screen
> saver. But i have
> found a file (notepad) named "yEaHa" something like this..that
> the contents
> stated that the main purpose is to spread the yEaHa and they
> didnt state
> that he/she is hacker. just that at the bottom stated a email
> add which is
> something like [EMAIL PROTECTED]
> 
> then i have found that all my files in "My Documents" have
> bcame
> transparent. and other files in C drive also bcame transparent.
> and it has
> ticked "Hidden" in the file property. but i hav unclick it but
> it still in
> transparent . In my System folder has a lot of Love icons with
> diff names
> like "girls" , "Love xxx" etc. all in Love icons, after i hav
> installed the
> file (Love
> icon) screen svaer file which is named "Friends Happy".
> 
> 
> 
> >From: "Kazan, Naim" 
> >To: "'Richard Campbell'" 
> >Subject: RE: Is a Virus or Hacker attack?? [7:60114]
> >Date: Thu, 2 Jan 2003 21:43:31 -0500
> >
> >A friend of mine ran into the same problem downloading some
> screen saver he
> >thought his friend sent him. He ended up having the same
> problem. I think
> >it
> >is a hacker installing some kind of worm using your email to
> send it out on
> >the internet.
> >
> >-Original Message-
> >From: Richard Campbell [mailto:[EMAIL PROTECTED]]
> >Sent: Thursday, January 02, 2003 9:04 PM
> >To: [EMAIL PROTECTED]
> >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> >
> >
> >thanks for your info..  the strange thing is.. I found she
> actually get the
> >attachment from her hotmail not yahoo mail.  I thought hotmail
> scan all the
> >attachment with latest McAfee AntiVirus???  Besides, she
> actually
> >downloaded
> >
> >the Norton AntiVirus defination file last month, but now its
> norton fail to
> >start
> >
> >
> > >From: "John Neiberger"
> > >Reply-To: "John Neiberger"
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> > >Date: Thu, 2 

RE: Is a Virus or Hacker attack?? [7:60114]

[John Neiberger]

A quick search on www.symantec.com shows that this is a variant of the
W32.Yaha.K@mm worm.  Go to
http:[EMAIL PROTECTED]
to get more details, including removal instructions.

Good luck,
John

>>> "Richard Campbell"  1/2/03 11:10:26 PM >>>
Below is original E-mail, and attachment file is Love.scr

>From: Lovers Screensavers
>To: [EMAIL PROTECTED] 
>Subject: Free Screenavers of Love
>Date: Wed,01 Jan 2003 00:53:38 PM
>Attachment: Love.scr
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this
software
to your friends using your account ID and for each person who
registers
with us through your account, we will pay you $1.5.Once your account
reaches
the limit of $50, your payment will be send to your registration
address by
check or draft.

Please note that the registration process is completely free which
means
by participating in this program you will only gain without loosing 
anything.

Best Regards,
Admin,
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Besides, the "Hacker" also send her a mail from this e-mail address

>From: [EMAIL PROTECTED] 
>To: [EMAIL PROTECTED] 
>Subject: Visit us
>Date: Tue,31 Dec 2002 23:25:58 PM
#
Below is what happen when she installed the screen saver.. Any
suggestion 
for me??

yes...when i download that file fr hotmail...it has been scanned . but
no 
virus is detected. then i download and put in my System folder in my
Window 
folder. as screen saver will only can run after save into the System
folder. 
so after i save it in the folder and install itit has shown in my
screen 
saver - Desktop display..but nothing show..means no screen saver. But i
have 
found a file (notepad) named "yEaHa" something like this..that the
contents 
stated that the main purpose is to spread the yEaHa and they didnt
state 
that he/she is hacker. just that at the bottom stated a email add which
is 
something like [EMAIL PROTECTED]

then i have found that all my files in "My Documents" have bcame 
transparent. and other files in C drive also bcame transparent. and it
has 
ticked "Hidden" in the file property. but i hav unclick it but it still
in 
transparent . In my System folder has a lot of Love icons with diff
names 
like "girls" , "Love xxx" etc. all in Love icons, after i hav installed
the 
file (Love
icon) screen svaer file which is named "Friends Happy".



>From: "Kazan, Naim" 
>To: "'Richard Campbell'" 
>Subject: RE: Is a Virus or Hacker attack?? [7:60114]
>Date: Thu, 2 Jan 2003 21:43:31 -0500
>
>A friend of mine ran into the same problem downloading some screen
saver he
>thought his friend sent him. He ended up having the same problem. I
think 
>it
>is a hacker installing some kind of worm using your email to send it
out on
>the internet.
>
>-Original Message-
>From: Richard Campbell [mailto:[EMAIL PROTECTED]] 
>Sent: Thursday, January 02, 2003 9:04 PM
>To: [EMAIL PROTECTED] 
>Subject: Re: Is a Virus or Hacker attack?? [7:60114]
>
>
>thanks for your info..  the strange thing is.. I found she actually
get the
>attachment from her hotmail not yahoo mail.  I thought hotmail scan
all the
>attachment with latest McAfee AntiVirus???  Besides, she actually 
>downloaded
>
>the Norton AntiVirus defination file last month, but now its norton
fail to
>start
>
>
> >From: "John Neiberger"
> >Reply-To: "John Neiberger"
> >To: [EMAIL PROTECTED] 
> >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> >Date: Thu, 2 Jan 2003 17:51:00 GMT
> >
> >The solution, which both of you really should know, is to have
> >up-to-date antivirus software running on any machine that connects
to
> >the internet in any way.  :-)
> >
> >In the meantime, she could browse to www.symantec.com and run the
> >web-based antivirus detection that they have available.  Once you
> >determine which virus she is infected with you can get more details
> >about how to remove it correctly.  Regardless, she should run--not
> >walk--to the neare

Re: Is a Virus or Hacker attack?? [7:60114]

[Richard Campbell]

Sorry and thanks  Xueyan.. after I read her original virus mail carefully, I 
found that the virus that my friend have, is exactly the same as described 
as your following link..  Thank you Group!


>From: "Xueyan Liu" 
>Reply-To: "Xueyan Liu" 
>To: [EMAIL PROTECTED]
>Subject: Re: Is a Virus or Hacker attack?? [7:60114]
>Date: Thu, 2 Jan 2003 18:42:07 GMT
>
>could be the yaha viarant that's spreading these days. as John has
>mentioned, check out symantec website for removal tools.
>
>http:[EMAIL PROTECTED]
>
>Xueyan
_
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60194&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is a Virus or Hacker attack?? [7:60114]

[Richard Campbell]

Below is original E-mail, and attachment file is Love.scr

>From: Lovers Screensavers
>To: [EMAIL PROTECTED]
>Subject: Free Screenavers of Love
>Date: Wed,01 Jan 2003 00:53:38 PM
>Attachment: Love.scr
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this software
to your friends using your account ID and for each person who registers
with us through your account, we will pay you $1.5.Once your account reaches
the limit of $50, your payment will be send to your registration address by
check or draft.

Please note that the registration process is completely free which means
by participating in this program you will only gain without loosing 
anything.

Best Regards,
Admin,
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Besides, the "Hacker" also send her a mail from this e-mail address

>From: [EMAIL PROTECTED]
>To: [EMAIL PROTECTED]
>Subject: Visit us
>Date: Tue,31 Dec 2002 23:25:58 PM
#
Below is what happen when she installed the screen saver.. Any suggestion 
for me??

yes...when i download that file fr hotmail...it has been scanned . but no 
virus is detected. then i download and put in my System folder in my Window 
folder. as screen saver will only can run after save into the System folder. 
so after i save it in the folder and install itit has shown in my screen 
saver - Desktop display..but nothing show..means no screen saver. But i have 
found a file (notepad) named "yEaHa" something like this..that the contents 
stated that the main purpose is to spread the yEaHa and they didnt state 
that he/she is hacker. just that at the bottom stated a email add which is 
something like [EMAIL PROTECTED]

then i have found that all my files in "My Documents" have bcame 
transparent. and other files in C drive also bcame transparent. and it has 
ticked "Hidden" in the file property. but i hav unclick it but it still in 
transparent . In my System folder has a lot of Love icons with diff names 
like "girls" , "Love xxx" etc. all in Love icons, after i hav installed the 
file (Love
icon) screen svaer file which is named "Friends Happy".



>From: "Kazan, Naim" 
>To: "'Richard Campbell'" 
>Subject: RE: Is a Virus or Hacker attack?? [7:60114]
>Date: Thu, 2 Jan 2003 21:43:31 -0500
>
>A friend of mine ran into the same problem downloading some screen saver he
>thought his friend sent him. He ended up having the same problem. I think 
>it
>is a hacker installing some kind of worm using your email to send it out on
>the internet.
>
>-Original Message-
>From: Richard Campbell [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, January 02, 2003 9:04 PM
>To: [EMAIL PROTECTED]
>Subject: Re: Is a Virus or Hacker attack?? [7:60114]
>
>
>thanks for your info..  the strange thing is.. I found she actually get the
>attachment from her hotmail not yahoo mail.  I thought hotmail scan all the
>attachment with latest McAfee AntiVirus???  Besides, she actually 
>downloaded
>
>the Norton AntiVirus defination file last month, but now its norton fail to
>start
>
>
> >From: "John Neiberger"
> >Reply-To: "John Neiberger"
> >To: [EMAIL PROTECTED]
> >Subject: Re: Is a Virus or Hacker attack?? [7:60114]
> >Date: Thu, 2 Jan 2003 17:51:00 GMT
> >
> >The solution, which both of you really should know, is to have
> >up-to-date antivirus software running on any machine that connects to
> >the internet in any way.  :-)
> >
> >In the meantime, she could browse to www.symantec.com and run the
> >web-based antivirus detection that they have available.  Once you
> >determine which virus she is infected with you can get more details
> >about how to remove it correctly.  Regardless, she should run--not
> >walk--to the nearest computer store and buy Norton AntiVirus of some
> >other AV software, and make sure she keeps her virus definitions
> >up-to-date.
> >
> >Regards,
> >John
> >
> > >>> "Richard Campbell"  1/2/03 10:34:01 AM 

Re: Is a Virus or Hacker attack?? [7:60114]

[Richard Campbell]

thanks for your info..  the strange thing is.. I found she actually get the 
attachment from her hotmail not yahoo mail.  I thought hotmail scan all the 
attachment with latest McAfee AntiVirus???  Besides, she actually downloaded 
the Norton AntiVirus defination file last month, but now its norton fail to 
start


>From: "John Neiberger" 
>Reply-To: "John Neiberger" 
>To: [EMAIL PROTECTED]
>Subject: Re: Is a Virus or Hacker attack?? [7:60114]
>Date: Thu, 2 Jan 2003 17:51:00 GMT
>
>The solution, which both of you really should know, is to have
>up-to-date antivirus software running on any machine that connects to
>the internet in any way.  :-)
>
>In the meantime, she could browse to www.symantec.com and run the
>web-based antivirus detection that they have available.  Once you
>determine which virus she is infected with you can get more details
>about how to remove it correctly.  Regardless, she should run--not
>walk--to the nearest computer store and buy Norton AntiVirus of some
>other AV software, and make sure she keeps her virus definitions
>up-to-date.
>
>Regards,
>John
>
> >>> "Richard Campbell"  1/2/03 10:34:01 AM >>>
>Hi... Group,
>
>I have a friend who received a mail containing screen saver attachment
>in
>her yahoo mail account when she is surf net at home.  She downloaded
>the
>screen saver and install it.  After installing , she found that her
>files in
>the my document become transparent in color and there are many extra
>files
>in many places.  Besides, she also found a notepad file in the desktop,
>
>stating that she had been hacked, yeah.. (something like that) and it
>can't
>be deleted (It will come back after rebooting).  And its sound also
>gone.
>Anyone encountered this so called Hacker "Virus" before??  Any solution
>for
>me??
>
>Thanks in advanced
>
>
>
>
>
>
>_
>The new MSN 8 is here: Try it free* for 2 months
>http://join.msn.com/?page=dept/dialup
_
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE* 
http://join.msn.com/?page=features/virus




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60161&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[Brian]

hey wasnt there a virus like 3 years ago with fireworks that did that??

Bri


On Thu, 2 Jan 2003, Richard Campbell wrote:

> Hi... Group,
>
> I have a friend who received a mail containing screen saver attachment in
> her yahoo mail account when she is surf net at home.  She downloaded the
> screen saver and install it.  After installing , she found that her files
in
> the my document become transparent in color and there are many extra files
> in many places.  Besides, she also found a notepad file in the desktop,
> stating that she had been hacked, yeah.. (something like that) and it can't
> be deleted (It will come back after rebooting).  And its sound also gone.
> Anyone encountered this so called Hacker "Virus" before??  Any solution for
> me??
>
> Thanks in advanced
>
>
>
>
>
>
> _
> The new MSN 8 is here: Try it free* for 2 months
> http://join.msn.com/?page=dept/dialup




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60141&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[Xueyan Liu]

could be the yaha viarant that's spreading these days. as John has
mentioned, check out symantec website for removal tools.

http:[EMAIL PROTECTED]

Xueyan


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60117&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is a Virus or Hacker attack?? [7:60114]

[John Neiberger]

The solution, which both of you really should know, is to have
up-to-date antivirus software running on any machine that connects to
the internet in any way.  :-)

In the meantime, she could browse to www.symantec.com and run the
web-based antivirus detection that they have available.  Once you
determine which virus she is infected with you can get more details
about how to remove it correctly.  Regardless, she should run--not
walk--to the nearest computer store and buy Norton AntiVirus of some
other AV software, and make sure she keeps her virus definitions
up-to-date.

Regards,
John

>>> "Richard Campbell"  1/2/03 10:34:01 AM >>>
Hi... Group,

I have a friend who received a mail containing screen saver attachment
in 
her yahoo mail account when she is surf net at home.  She downloaded
the 
screen saver and install it.  After installing , she found that her
files in 
the my document become transparent in color and there are many extra
files 
in many places.  Besides, she also found a notepad file in the desktop,

stating that she had been hacked, yeah.. (something like that) and it
can't 
be deleted (It will come back after rebooting).  And its sound also
gone.   
Anyone encountered this so called Hacker "Virus" before??  Any solution
for 
me??

Thanks in advanced






_
The new MSN 8 is here: Try it free* for 2 months 
http://join.msn.com/?page=dept/dialup




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60115&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Is a Virus or Hacker attack?? [7:60114]

[Richard Campbell]

Hi... Group,

I have a friend who received a mail containing screen saver attachment in 
her yahoo mail account when she is surf net at home.  She downloaded the 
screen saver and install it.  After installing , she found that her files in 
the my document become transparent in color and there are many extra files 
in many places.  Besides, she also found a notepad file in the desktop, 
stating that she had been hacked, yeah.. (something like that) and it can't 
be deleted (It will come back after rebooting).  And its sound also gone.   
Anyone encountered this so called Hacker "Virus" before??  Any solution for 
me??

Thanks in advanced






_
The new MSN 8 is here: Try it free* for 2 months 
http://join.msn.com/?page=dept/dialup




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60114&t=60114
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Possible Attack???? [7:59813]

[[EMAIL PROTECTED]]

Unfortunetly I cant share anything else not because I dont want to but
because these machines are owned by another customers.  I am planning on
following up with my customer to see if he can get some info from his
customer in regards to what happend.  Once I know I will post it.  Thanks
again.




Thanks, 

Mario Puras 
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410  
888.449.5766 (USA) / 888.SOLUNET (Canada) 



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 27, 2002 7:24 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]


Sounds like you used a good method to track down the compromised machines
(Sun Spark Stations.) Can you tell us anything more about what had happened
to them? Had someone installed a Trojan Horse or something?? Are there any
URLs that describe the attack. I tried to find some last night but didn't,
but maybe with more info you have found some.

I think it would help us all to know more if you can share more. Thanks for
what you've told us so far!

Priscilla

([EMAIL PROTECTED] wrote:
> 
> I was finally able to track down the infected PC's (yes, more
> than one).
> Below is a brief description of what occurred and the fix. 
> First, thanks to
> all that responded to me.  
> 
> As previously mentioned, I had an attack on a customer of mines
> network that
> was showing up as follows:
> 
> SrcIfSrcIPaddressDstIfDstIPaddressPr  SrcP
> DstP  Pkts
> Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00  
>   285
> 
> 
> The above capture is just 1 of a few hundred packets similar to
> it and all
> coming from a different source address on the 127.0.0.0
> network.  The amount
> of traffic was so large that at times it peaked to over 20MB
> and as a result
> it overran my WAN interfaces causing BGP to flap / reconverge. 
> Just when
> BGP got a chance to come back up and learned all 115000 routes,
> the attack
> occured again and the links would flap.  
> 
> Pingging the 127.0.0.x IP address from the edge router where
> the attack was
> initially spotted did not give me any replies.  All I got were
> U.  I was
> also not able to ping the broadcast address as all it gave me
> was U
> (unreachables) as well.  There was no ARP entries on that
> router for that
> IP.  I ended up enabling Netflow on the edge router (what you
> see above) in
> order to get more detail of what was going on.  I got to see
> what interface
> it was coming in on so I applied an access-list on the router
> to filter out
> these packets. That allow the router and bgp to stabilize.  The
> next thing
> was to move on to the switch that was connected to this FA0/1
> interface.
> This switch has a router module,  I ended up doing the same
> thing as I did
> on the edge router except this time I also connected to the sc0
> interface
> and I enabled one port as the mirroring port on the switch and
> placed a PC
> with Etherreal to monitor everything that was destined to
> 108.122.0.0 and I
> finally got a MAC address.  I issued the show CAM command on
> the switch and
> it told me where it came from which was another switch.  I
> moved on to that
> other switch. The MAC address that was being reported was the
> MSM route
> module of that switch.  I enabled netflow on it as well and I
> was able to
> see the vlan that the attack was coming on and the VLAN where
> it was
> destined to.  Luckily there were only 2 PCs (Sun Spark
> Stations) on that
> vlan and both were compromised.  I removed them from the
> network and all is
> well.  I did also have MRTG which help some with identifying
> when the attack
> was going on and what direction it was coming on and with the
> ports that
> were being most heavily utilized.  This network is pretty big
> so it was
> difficult to monitor all the ports that were suspects.  Thank
> you all again
> for your help.  
> 
> As far as the runt packets are concerned, to tell you the
> truth, I noticed
> that but did not pay to much attention to that part of the
> Netflow output
> since I was all wrapped up on tracking down where these packets
> were coming
> in from.   Right now packets with size of 1-32 account for
> about 50% of all
> traffic. 
> 
> 
> 
> 
> Thanks, 
> 
> Mario Puras 
> SoluNet Technical Support
> Mailto: [EMAIL PROTECTED]
> Direct: (321) 309-1410  
> 888.449.5766 (USA) / 888.SOLUNET (Canada) 
> 
> 
> 
> -Original Message-
> From: jhodge [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 27, 2002 4:34 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible Attack [7:59813]
> 
> 
> Not sur

RE: OT - Possible Attack???? [7:59813]

[Carroll Kong]

Unix boxes are compromised all the time.  You can read up on Bugtraq 
to hear about the exploits.

Typically the security of any host is not a function of the operating 
system, but how skilled and up to date the administrator is on 
security issues.

The only reason you hear more Windows boxes being compromised is 
because more end users run them, and more of the inexperienced 
administrators also prefer Windows because it is GUI based.

Unfortunately, the same crowd of inexperience administrators 
sometimes feel they are "more advanced" and try a unix based 
operating system.  Only sadly to succumb to the same fate, to create 
a unsecure host due to their lack of knowledge of the inner workings 
of the operating system and services it provides.

The real cure is not a new operating system.  It is doing some 
research and learning, or just get a new administrator.  :)

> Nice to hear a story of a *nix box being compromised... we all know 
how
> hush-hush that piece of news is kept ... of course we all know that 
only
> Windows boxes get compromised all the time, cuz they're so insecure
> (Tongue-in-cheek). 
> 
> ... sorry, couldn't resist.  This is just a mini High-Five for all 
those
> Winblows comments that flow so fluidly on the list...
> 
> More on topic-
> It's cool to hear someone describing in detail the troubleshooting 
steps
> taken to track down a "bad" host or two on a complex network...  
You
> don't hear about these stories very often.
> 
> Consider this an Attaboy Pat on the Back for a job well done in 
hunting
> down the source to your problem with fairly efficient and well 
educated
> network troubleshooting skills.
> 
> Have a great weekend!
> 
> -Mark
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
> Sent: Friday, December 27, 2002 5:59 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible Attack [7:59813]
> 
> I was finally able to track down the infected PC's (yes, more than 
one).
> Below is a brief description of what occurred and the fix.  First,
> thanks to
> all that responded to me.  
> 
> As previously mentioned, I had an attack on a customer of mines 
network
> that
> was showing up as follows:
> 
> SrcIfSrcIPaddressDstIfDstIPaddressPr  SrcP DstP
> Pkts
> Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00    
 285
> 
> 
> The above capture is just 1 of a few hundred packets similar to it 
and
> all
> coming from a different source address on the 127.0.0.0 network.  
The
> amount
> of traffic was so large that at times it peaked to over 20MB and as 
a
> result
> it overran my WAN interfaces causing BGP to flap / reconverge.  
Just
> when
> BGP got a chance to come back up and learned all 115000 routes, the
> attack
> occured again and the links would flap.  
> 
> Pingging the 127.0.0.x IP address from the edge router where the 
attack
> was
> initially spotted did not give me any replies.  All I got were 
U.  I
> was
> also not able to ping the broadcast address as all it gave me was 
U
> (unreachables) as well.  There was no ARP entries on that router 
for
> that
> IP.  I ended up enabling Netflow on the edge router (what you see 
above)
> in
> order to get more detail of what was going on.  I got to see what
> interface
> it was coming in on so I applied an access-list on the router to 
filter
> out
> these packets. That allow the router and bgp to stabilize.  The 
next
> thing
> was to move on to the switch that was connected to this FA0/1 
interface.
> This switch has a router module,  I ended up doing the same thing 
as I
> did
> on the edge router except this time I also connected to the sc0
> interface
> and I enabled one port as the mirroring port on the switch and 
placed a
> PC
> with Etherreal to monitor everything that was destined to 
108.122.0.0
> and I
> finally got a MAC address.  I issued the show CAM command on the 
switch
> and
> it told me where it came from which was another switch.  I moved on 
to
> that
> other switch. The MAC address that was being reported was the MSM 
route
> module of that switch.  I enabled netflow on it as well and I was 
able
> to
> see the vlan that the attack was coming on and the VLAN where it 
was
> destined to.  Luckily there were only 2 PCs (Sun Spark Stations) on 
that
> vlan and both were compromised.  I removed them from the network 
and all
> is
> well.  I did also have MRTG which help some with identifying when 
the
> attack
> was going on and what direction it was coming on and with the ports 
that
> were being most heavily utilized.  This network is pretty big so it 
was
> difficult to monitor all the ports that were 

RE: Possible Attack???? [7:59813]

[Mark W. Odette II]

Nice to hear a story of a *nix box being compromised... we all know how
hush-hush that piece of news is kept ... of course we all know that only
Windows boxes get compromised all the time, cuz they're so insecure
(Tongue-in-cheek). 

... sorry, couldn't resist.  This is just a mini High-Five for all those
Winblows comments that flow so fluidly on the list...

More on topic-
It's cool to hear someone describing in detail the troubleshooting steps
taken to track down a "bad" host or two on a complex network...  You
don't hear about these stories very often.

Consider this an Attaboy Pat on the Back for a job well done in hunting
down the source to your problem with fairly efficient and well educated
network troubleshooting skills.

Have a great weekend!

-Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 27, 2002 5:59 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]

I was finally able to track down the infected PC's (yes, more than one).
Below is a brief description of what occurred and the fix.  First,
thanks to
all that responded to me.  

As previously mentioned, I had an attack on a customer of mines network
that
was showing up as follows:

SrcIfSrcIPaddressDstIfDstIPaddressPr  SrcP DstP
Pkts
Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00     285


The above capture is just 1 of a few hundred packets similar to it and
all
coming from a different source address on the 127.0.0.0 network.  The
amount
of traffic was so large that at times it peaked to over 20MB and as a
result
it overran my WAN interfaces causing BGP to flap / reconverge.  Just
when
BGP got a chance to come back up and learned all 115000 routes, the
attack
occured again and the links would flap.  

Pingging the 127.0.0.x IP address from the edge router where the attack
was
initially spotted did not give me any replies.  All I got were U.  I
was
also not able to ping the broadcast address as all it gave me was U
(unreachables) as well.  There was no ARP entries on that router for
that
IP.  I ended up enabling Netflow on the edge router (what you see above)
in
order to get more detail of what was going on.  I got to see what
interface
it was coming in on so I applied an access-list on the router to filter
out
these packets. That allow the router and bgp to stabilize.  The next
thing
was to move on to the switch that was connected to this FA0/1 interface.
This switch has a router module,  I ended up doing the same thing as I
did
on the edge router except this time I also connected to the sc0
interface
and I enabled one port as the mirroring port on the switch and placed a
PC
with Etherreal to monitor everything that was destined to 108.122.0.0
and I
finally got a MAC address.  I issued the show CAM command on the switch
and
it told me where it came from which was another switch.  I moved on to
that
other switch. The MAC address that was being reported was the MSM route
module of that switch.  I enabled netflow on it as well and I was able
to
see the vlan that the attack was coming on and the VLAN where it was
destined to.  Luckily there were only 2 PCs (Sun Spark Stations) on that
vlan and both were compromised.  I removed them from the network and all
is
well.  I did also have MRTG which help some with identifying when the
attack
was going on and what direction it was coming on and with the ports that
were being most heavily utilized.  This network is pretty big so it was
difficult to monitor all the ports that were suspects.  Thank you all
again
for your help.  

As far as the runt packets are concerned, to tell you the truth, I
noticed
that but did not pay to much attention to that part of the Netflow
output
since I was all wrapped up on tracking down where these packets were
coming
in from.   Right now packets with size of 1-32 account for about 50% of
all
traffic. 




Thanks, 

Mario Puras 
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410  
888.449.5766 (USA) / 888.SOLUNET (Canada) 



-Original Message-
From: jhodge [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 27, 2002 4:34 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]


Not sure if this will help, but you could enable ip accounting on the
uplink interface to the switch.  Watch for the address that is pouring
out the most requests. Then use sho ip arp x.x.x.x to find the mac
address.  From there you could go to the switch and do a show cam
dynamic or if IOS version, show mac-address-table with the mac address
found with the most requests.  This would hunt down the culprit machine
without a person walking to each individual machine.

Cheers,


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Sam Sneed
Sent: December 27, 2002 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible Attack [7:59813]

Do you run SNMP and mrtg on thes

RE: Possible Attack???? [7:59813]

[Priscilla Oppenheimer]

Sounds like you used a good method to track down the compromised machines
(Sun Spark Stations.) Can you tell us anything more about what had happened
to them? Had someone installed a Trojan Horse or something?? Are there any
URLs that describe the attack. I tried to find some last night but didn't,
but maybe with more info you have found some.

I think it would help us all to know more if you can share more. Thanks for
what you've told us so far!

Priscilla

([EMAIL PROTECTED] wrote:
> 
> I was finally able to track down the infected PC's (yes, more
> than one).
> Below is a brief description of what occurred and the fix. 
> First, thanks to
> all that responded to me.  
> 
> As previously mentioned, I had an attack on a customer of mines
> network that
> was showing up as follows:
> 
> SrcIfSrcIPaddressDstIfDstIPaddressPr  SrcP
> DstP  Pkts
> Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00  
>   285
> 
> 
> The above capture is just 1 of a few hundred packets similar to
> it and all
> coming from a different source address on the 127.0.0.0
> network.  The amount
> of traffic was so large that at times it peaked to over 20MB
> and as a result
> it overran my WAN interfaces causing BGP to flap / reconverge. 
> Just when
> BGP got a chance to come back up and learned all 115000 routes,
> the attack
> occured again and the links would flap.  
> 
> Pingging the 127.0.0.x IP address from the edge router where
> the attack was
> initially spotted did not give me any replies.  All I got were
> U.  I was
> also not able to ping the broadcast address as all it gave me
> was U
> (unreachables) as well.  There was no ARP entries on that
> router for that
> IP.  I ended up enabling Netflow on the edge router (what you
> see above) in
> order to get more detail of what was going on.  I got to see
> what interface
> it was coming in on so I applied an access-list on the router
> to filter out
> these packets. That allow the router and bgp to stabilize.  The
> next thing
> was to move on to the switch that was connected to this FA0/1
> interface.
> This switch has a router module,  I ended up doing the same
> thing as I did
> on the edge router except this time I also connected to the sc0
> interface
> and I enabled one port as the mirroring port on the switch and
> placed a PC
> with Etherreal to monitor everything that was destined to
> 108.122.0.0 and I
> finally got a MAC address.  I issued the show CAM command on
> the switch and
> it told me where it came from which was another switch.  I
> moved on to that
> other switch. The MAC address that was being reported was the
> MSM route
> module of that switch.  I enabled netflow on it as well and I
> was able to
> see the vlan that the attack was coming on and the VLAN where
> it was
> destined to.  Luckily there were only 2 PCs (Sun Spark
> Stations) on that
> vlan and both were compromised.  I removed them from the
> network and all is
> well.  I did also have MRTG which help some with identifying
> when the attack
> was going on and what direction it was coming on and with the
> ports that
> were being most heavily utilized.  This network is pretty big
> so it was
> difficult to monitor all the ports that were suspects.  Thank
> you all again
> for your help.  
> 
> As far as the runt packets are concerned, to tell you the
> truth, I noticed
> that but did not pay to much attention to that part of the
> Netflow output
> since I was all wrapped up on tracking down where these packets
> were coming
> in from.   Right now packets with size of 1-32 account for
> about 50% of all
> traffic. 
> 
> 
> 
> 
> Thanks, 
> 
> Mario Puras 
> SoluNet Technical Support
> Mailto: [EMAIL PROTECTED]
> Direct: (321) 309-1410  
> 888.449.5766 (USA) / 888.SOLUNET (Canada) 
> 
> 
> 
> -Original Message-
> From: jhodge [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 27, 2002 4:34 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible Attack [7:59813]
> 
> 
> Not sure if this will help, but you could enable ip accounting
> on the
> uplink interface to the switch.  Watch for the address that is
> pouring
> out the most requests. Then use sho ip arp x.x.x.x to find the
> mac
> address.  From there you could go to the switch and do a show
> cam
> dynamic or if IOS version, show mac-address-table with the mac
> address
> found with the most requests.  This would hunt down the culprit
> machine
> without a person walking to each individual machine.
> 
> Cheers,
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PR

RE: Possible Attack???? [7:59813]

[[EMAIL PROTECTED]]

I was finally able to track down the infected PC's (yes, more than one).
Below is a brief description of what occurred and the fix.  First, thanks to
all that responded to me.  

As previously mentioned, I had an attack on a customer of mines network that
was showing up as follows:

SrcIfSrcIPaddressDstIfDstIPaddressPr  SrcP DstP  Pkts
Fa0/1127.0.0.124 Se1/2.500108.122.0.0 00     285


The above capture is just 1 of a few hundred packets similar to it and all
coming from a different source address on the 127.0.0.0 network.  The amount
of traffic was so large that at times it peaked to over 20MB and as a result
it overran my WAN interfaces causing BGP to flap / reconverge.  Just when
BGP got a chance to come back up and learned all 115000 routes, the attack
occured again and the links would flap.  

Pingging the 127.0.0.x IP address from the edge router where the attack was
initially spotted did not give me any replies.  All I got were U.  I was
also not able to ping the broadcast address as all it gave me was U
(unreachables) as well.  There was no ARP entries on that router for that
IP.  I ended up enabling Netflow on the edge router (what you see above) in
order to get more detail of what was going on.  I got to see what interface
it was coming in on so I applied an access-list on the router to filter out
these packets. That allow the router and bgp to stabilize.  The next thing
was to move on to the switch that was connected to this FA0/1 interface.
This switch has a router module,  I ended up doing the same thing as I did
on the edge router except this time I also connected to the sc0 interface
and I enabled one port as the mirroring port on the switch and placed a PC
with Etherreal to monitor everything that was destined to 108.122.0.0 and I
finally got a MAC address.  I issued the show CAM command on the switch and
it told me where it came from which was another switch.  I moved on to that
other switch. The MAC address that was being reported was the MSM route
module of that switch.  I enabled netflow on it as well and I was able to
see the vlan that the attack was coming on and the VLAN where it was
destined to.  Luckily there were only 2 PCs (Sun Spark Stations) on that
vlan and both were compromised.  I removed them from the network and all is
well.  I did also have MRTG which help some with identifying when the attack
was going on and what direction it was coming on and with the ports that
were being most heavily utilized.  This network is pretty big so it was
difficult to monitor all the ports that were suspects.  Thank you all again
for your help.  

As far as the runt packets are concerned, to tell you the truth, I noticed
that but did not pay to much attention to that part of the Netflow output
since I was all wrapped up on tracking down where these packets were coming
in from.   Right now packets with size of 1-32 account for about 50% of all
traffic. 




Thanks, 

Mario Puras 
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410  
888.449.5766 (USA) / 888.SOLUNET (Canada) 



-Original Message-
From: jhodge [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 27, 2002 4:34 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]


Not sure if this will help, but you could enable ip accounting on the
uplink interface to the switch.  Watch for the address that is pouring
out the most requests. Then use sho ip arp x.x.x.x to find the mac
address.  From there you could go to the switch and do a show cam
dynamic or if IOS version, show mac-address-table with the mac address
found with the most requests.  This would hunt down the culprit machine
without a person walking to each individual machine.

Cheers,


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Sam Sneed
Sent: December 27, 2002 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible Attack [7:59813]

Do you run SNMP and mrtg on theswitch? You can than graphically see
which
host has been pouring out all the traffic with ease.

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thanks Priscilla.  I figure it was some sort of spoofing which is what
I
> ended up reporting last night.  The traffic on the edge router is
under
> controll.  I was able to narrow down which VLAN on the switch it was
coming
> in on.  There is someone going onsite this morning and we are going to
work
> on narrawing down the actual culprit PC.  It should not be difficult
to
spot
> by looking at the LED on the switch (I hope).  The attack seems to
come in
> spurts but when it comes, I see anywhere from about 3000-15000 packets
per
> second that last about 10 seconds.  The weird thing is that when I
remove
> the access-list that is currently filtering the 127 address, the
attack
last
> much longer.  It is almost like it knows that the access-list has been
> removed.  Since 

RE: Possible Attack???? [7:59813]

[jhodge]

Not sure if this will help, but you could enable ip accounting on the
uplink interface to the switch.  Watch for the address that is pouring
out the most requests. Then use sho ip arp x.x.x.x to find the mac
address.  From there you could go to the switch and do a show cam
dynamic or if IOS version, show mac-address-table with the mac address
found with the most requests.  This would hunt down the culprit machine
without a person walking to each individual machine.

Cheers,


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Sam Sneed
Sent: December 27, 2002 1:04 PM
To: [EMAIL PROTECTED]
Subject: Re: Possible Attack [7:59813]

Do you run SNMP and mrtg on theswitch? You can than graphically see
which
host has been pouring out all the traffic with ease.

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thanks Priscilla.  I figure it was some sort of spoofing which is what
I
> ended up reporting last night.  The traffic on the edge router is
under
> controll.  I was able to narrow down which VLAN on the switch it was
coming
> in on.  There is someone going onsite this morning and we are going to
work
> on narrawing down the actual culprit PC.  It should not be difficult
to
spot
> by looking at the LED on the switch (I hope).  The attack seems to
come in
> spurts but when it comes, I see anywhere from about 3000-15000 packets
per
> second that last about 10 seconds.  The weird thing is that when I
remove
> the access-list that is currently filtering the 127 address, the
attack
last
> much longer.  It is almost like it knows that the access-list has been
> removed.  Since the traffic that I am filtering is not related to ICMP
then
> I know that I am not sending out any Unreachable message back to the
source.
>
>
>
>
>
> Thanks,
>
> Mario Puras
> SoluNet Technical Support
> Mailto: [EMAIL PROTECTED]
> Direct: (321) 309-1410
> 888.449.5766 (USA) / 888.SOLUNET (Canada)
>
>
>
> -Original Message-
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 26, 2002 10:57 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible Attack [7:59813]
>
>
> Sending with a source address of 127.x.x.x is often used in IP
spoofing.
You
> should try to find out which station is doing this. It could be
compromised.
> Of course, it will be hard to find, but if the packets haven't crossed
a
> router, the MAC address will have a clue. The first six bytes of the
MAC
> address are a vendor code. Of course, if all your equipment is from
one
> vendor, that doesn't help much!
>
> The destination address of  108.122.0.0 is strange also. I looked it
up in
> the ARIN Whois database and it says it's part of a range reserved by
IANA.
> I'm not sure why it's reserved, but it seems like a suspicious address
to
> use.
>
> So, you're doing the right thing to filter out these packets.
>
> But you said the problem remained. The other thing I noticed that's
strange
> is probably unrelated to a possible attack.
>
> Why are 75% of your packets in the 1-32 byte range? Those are illegal
runt
> frames on Ethernet. Could you have a duplex mismatch problem?? You
should
> check the output of show int Fa0/1.
>
> Good luck!
>
> Priscilla
>
> [EMAIL PROTECTED] wrote:
> >
> > Hi all.  I was wondering if someone can share some light on a
> > wierd issues
> > that I am seeing.  This perhaps maybe an attack from an
> > internal or infected
> > host within the network or simply a malfunctioning NIC.
> > Basically, I have a
> > Cisco 3662 with 2 Satellite links.  I noticed that the main WAN
> > link
> > (1.544mb) was bursting outbound to sometimes 20mb.  I noticed a
> > lot of
> > output drops and the links started to flap and as a result BGP
> > sessions
> > starting going down causing huge problems.  Once I was able to
> > get the BGP
> > under control, I enabled Netflow on the inbound interface
> > (FE0/1) to see
> > what type of traffic could be causing this issue and this is
> > when I noticed
> > the below:
> >
> >
> > Here is the output of the Netflow:
> >
> > cisco_3600_one#show ip cache flow
> > IP packet size distribution (4096357 total packets):
> >1-32   64   96  128  160  192  224  256  288  320  352  384
> > 416  448
> > 480
> >.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000
> > .000 .000
> > .000
> >
> > 512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
> >.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
> >
> > IP Flow Switching Cache, 278544 bytes
> >   978 active, 3118 inac

Re: Possible Attack???? [7:59813]

[Sam Sneed]

Do you run SNMP and mrtg on theswitch? You can than graphically see which
host has been pouring out all the traffic with ease.

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thanks Priscilla.  I figure it was some sort of spoofing which is what I
> ended up reporting last night.  The traffic on the edge router is under
> controll.  I was able to narrow down which VLAN on the switch it was
coming
> in on.  There is someone going onsite this morning and we are going to
work
> on narrawing down the actual culprit PC.  It should not be difficult to
spot
> by looking at the LED on the switch (I hope).  The attack seems to come in
> spurts but when it comes, I see anywhere from about 3000-15000 packets per
> second that last about 10 seconds.  The weird thing is that when I remove
> the access-list that is currently filtering the 127 address, the attack
last
> much longer.  It is almost like it knows that the access-list has been
> removed.  Since the traffic that I am filtering is not related to ICMP
then
> I know that I am not sending out any Unreachable message back to the
source.
>
>
>
>
>
> Thanks,
>
> Mario Puras
> SoluNet Technical Support
> Mailto: [EMAIL PROTECTED]
> Direct: (321) 309-1410
> 888.449.5766 (USA) / 888.SOLUNET (Canada)
>
>
>
> -Original Message-
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 26, 2002 10:57 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible Attack [7:59813]
>
>
> Sending with a source address of 127.x.x.x is often used in IP spoofing.
You
> should try to find out which station is doing this. It could be
compromised.
> Of course, it will be hard to find, but if the packets haven't crossed a
> router, the MAC address will have a clue. The first six bytes of the MAC
> address are a vendor code. Of course, if all your equipment is from one
> vendor, that doesn't help much!
>
> The destination address of  108.122.0.0 is strange also. I looked it up in
> the ARIN Whois database and it says it's part of a range reserved by IANA.
> I'm not sure why it's reserved, but it seems like a suspicious address to
> use.
>
> So, you're doing the right thing to filter out these packets.
>
> But you said the problem remained. The other thing I noticed that's
strange
> is probably unrelated to a possible attack.
>
> Why are 75% of your packets in the 1-32 byte range? Those are illegal runt
> frames on Ethernet. Could you have a duplex mismatch problem?? You should
> check the output of show int Fa0/1.
>
> Good luck!
>
> Priscilla
>
> [EMAIL PROTECTED] wrote:
> >
> > Hi all.  I was wondering if someone can share some light on a
> > wierd issues
> > that I am seeing.  This perhaps maybe an attack from an
> > internal or infected
> > host within the network or simply a malfunctioning NIC.
> > Basically, I have a
> > Cisco 3662 with 2 Satellite links.  I noticed that the main WAN
> > link
> > (1.544mb) was bursting outbound to sometimes 20mb.  I noticed a
> > lot of
> > output drops and the links started to flap and as a result BGP
> > sessions
> > starting going down causing huge problems.  Once I was able to
> > get the BGP
> > under control, I enabled Netflow on the inbound interface
> > (FE0/1) to see
> > what type of traffic could be causing this issue and this is
> > when I noticed
> > the below:
> >
> >
> > Here is the output of the Netflow:
> >
> > cisco_3600_one#show ip cache flow
> > IP packet size distribution (4096357 total packets):
> >1-32   64   96  128  160  192  224  256  288  320  352  384
> > 416  448
> > 480
> >.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000
> > .000 .000
> > .000
> >
> > 512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
> >.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
> >
> > IP Flow Switching Cache, 278544 bytes
> >   978 active, 3118 inactive, 121929 added
> >   2503952 ager polls, 0 flow alloc failures
> >   last clearing of statistics never
> > Protocol TotalFlows   Packets Bytes  Packets
> > Active(Sec)
> > Idle(Sec)
> >  Flows /Sec /Flow  /Pkt /Sec
> > /Flow /Flow
> > TCP-Telnet  41  0.05040  0.0
> > 31.3  14.4
> > TCP-FTP 87  0.0 765  0.0
> > 17.0  12.1
> > TCP-FTPD27  0.0   135   211  0.0
> > 83.0   3.5
> > TCP-WWW  43121  0.3 8   335  2.8
> > 3.

RE: Possible Attack???? [7:59813]

[Priscilla Oppenheimer]

[EMAIL PROTECTED] wrote:
> 
> Thanks Priscilla.  I figure it was some sort of spoofing which
> is what I
> ended up reporting last night.  The traffic on the edge router
> is under
> controll.  I was able to narrow down which VLAN on the switch
> it was coming
> in on.  There is someone going onsite this morning and we are
> going to work
> on narrawing down the actual culprit PC.  It should not be
> difficult to spot
> by looking at the LED on the switch (I hope).  The attack seems
> to come in
> spurts but when it comes, I see anywhere from about 3000-15000
> packets per
> second that last about 10 seconds.  The weird thing is that
> when I remove
> the access-list that is currently filtering the 127 address,
> the attack last
> much longer.  It is almost like it knows that the access-list
> has been
> removed.

That is weird. You would have to put a sniffer on it to see if there's an
explanation.

>  Since the traffic that I am filtering is not related
> to ICMP then
> I know that I am not sending out any Unreachable message back
> to the source.

You could still be sending Unreachable or some other ICMP messages. ICMP
messages can go out in response to any packet. They don't just go out in
response to ICMP packets, if that's what you meant by your comment. In fact,
there's a good chance you are sending Type 3, Code 13 ICMP messages
(Administratively Prohibited) when you have the access list enabled.

Of course, they would be sent back to 127.x.x.x, so they might not work,
though?! :-) So that woudn't explain the host backing off...

I wanted to mention one more thing. In my previous message I was concerned
about all the packets that were 1-32 bytes. I said those would be illegal
Ethernet runts.

I'm guessing that Ethernet isn't actually relevant here, though. I bet the
Ethernet header has been stripped off by this point. Also any padding that
Ethernet added to make it a legal length has been stripped off.

The info reported by "show ip cache flow" is probably from IP's point of
view. In that case a packet that was 32 bytes long would be legitimate. It
could be a 20-byte IP header and a 12 byte ICMP message, in fact.

You might want to find out what they are. I stick to my original overall
comment that having 75% of your packets being that small is  weird.

Does anyone know for sure if "show ip cache flow" reports packet sizes after
the data-link-layer header has been stripped?? I couldn't find an answer on
Cisco's site.

Good luck finding the culprit! Let us know how it goes. Thanks.

Priscilla

> 
> 
> 
> 
> 
> Thanks, 
> 
> Mario Puras 
> SoluNet Technical Support
> Mailto: [EMAIL PROTECTED]
> Direct: (321) 309-1410  
> 888.449.5766 (USA) / 888.SOLUNET (Canada) 
> 
> 
> 
> -Original Message-
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 26, 2002 10:57 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Possible Attack [7:59813]
> 
> 
> Sending with a source address of 127.x.x.x is often used in IP
> spoofing. You
> should try to find out which station is doing this. It could be
> compromised.
> Of course, it will be hard to find, but if the packets haven't
> crossed a
> router, the MAC address will have a clue. The first six bytes
> of the MAC
> address are a vendor code. Of course, if all your equipment is
> from one
> vendor, that doesn't help much!
> 
> The destination address of  108.122.0.0 is strange also. I
> looked it up in
> the ARIN Whois database and it says it's part of a range
> reserved by IANA.
> I'm not sure why it's reserved, but it seems like a suspicious
> address to
> use.
> 
> So, you're doing the right thing to filter out these packets. 
> 
> But you said the problem remained. The other thing I noticed
> that's strange
> is probably unrelated to a possible attack.
> 
> Why are 75% of your packets in the 1-32 byte range? Those are
> illegal runt
> frames on Ethernet. Could you have a duplex mismatch problem??
> You should
> check the output of show int Fa0/1.
> 
> Good luck!
> 
> Priscilla
> 
> [EMAIL PROTECTED] wrote:
> > 
> > Hi all.  I was wondering if someone can share some light on a
> > wierd issues
> > that I am seeing.  This perhaps maybe an attack from an
> > internal or infected
> > host within the network or simply a malfunctioning NIC. 
> > Basically, I have a
> > Cisco 3662 with 2 Satellite links.  I noticed that the main
> WAN
> > link
> > (1.544mb) was bursting outbound to sometimes 20mb.  I noticed
> a
> > lot of
> > output drops and the links started to flap and as a result BGP
> > sess

RE: Possible Attack???? [7:59813]

[[EMAIL PROTECTED]]

Thanks Priscilla.  I figure it was some sort of spoofing which is what I
ended up reporting last night.  The traffic on the edge router is under
controll.  I was able to narrow down which VLAN on the switch it was coming
in on.  There is someone going onsite this morning and we are going to work
on narrawing down the actual culprit PC.  It should not be difficult to spot
by looking at the LED on the switch (I hope).  The attack seems to come in
spurts but when it comes, I see anywhere from about 3000-15000 packets per
second that last about 10 seconds.  The weird thing is that when I remove
the access-list that is currently filtering the 127 address, the attack last
much longer.  It is almost like it knows that the access-list has been
removed.  Since the traffic that I am filtering is not related to ICMP then
I know that I am not sending out any Unreachable message back to the source.





Thanks, 

Mario Puras 
SoluNet Technical Support
Mailto: [EMAIL PROTECTED]
Direct: (321) 309-1410  
888.449.5766 (USA) / 888.SOLUNET (Canada) 



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 26, 2002 10:57 PM
To: [EMAIL PROTECTED]
Subject: RE: Possible Attack [7:59813]


Sending with a source address of 127.x.x.x is often used in IP spoofing. You
should try to find out which station is doing this. It could be compromised.
Of course, it will be hard to find, but if the packets haven't crossed a
router, the MAC address will have a clue. The first six bytes of the MAC
address are a vendor code. Of course, if all your equipment is from one
vendor, that doesn't help much!

The destination address of  108.122.0.0 is strange also. I looked it up in
the ARIN Whois database and it says it's part of a range reserved by IANA.
I'm not sure why it's reserved, but it seems like a suspicious address to
use.

So, you're doing the right thing to filter out these packets. 

But you said the problem remained. The other thing I noticed that's strange
is probably unrelated to a possible attack.

Why are 75% of your packets in the 1-32 byte range? Those are illegal runt
frames on Ethernet. Could you have a duplex mismatch problem?? You should
check the output of show int Fa0/1.

Good luck!

Priscilla

[EMAIL PROTECTED] wrote:
> 
> Hi all.  I was wondering if someone can share some light on a
> wierd issues
> that I am seeing.  This perhaps maybe an attack from an
> internal or infected
> host within the network or simply a malfunctioning NIC. 
> Basically, I have a
> Cisco 3662 with 2 Satellite links.  I noticed that the main WAN
> link
> (1.544mb) was bursting outbound to sometimes 20mb.  I noticed a
> lot of
> output drops and the links started to flap and as a result BGP
> sessions
> starting going down causing huge problems.  Once I was able to
> get the BGP
> under control, I enabled Netflow on the inbound interface
> (FE0/1) to see
> what type of traffic could be causing this issue and this is
> when I noticed
> the below:
> 
> 
> Here is the output of the Netflow:
> 
> cisco_3600_one#show ip cache flow 
> IP packet size distribution (4096357 total packets):
>1-32   64   96  128  160  192  224  256  288  320  352  384 
> 416  448
> 480
>.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000
> .000 .000
> .000
> 
> 512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
>.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
> 
> IP Flow Switching Cache, 278544 bytes
>   978 active, 3118 inactive, 121929 added
>   2503952 ager polls, 0 flow alloc failures
>   last clearing of statistics never
> Protocol TotalFlows   Packets Bytes  Packets
> Active(Sec)
> Idle(Sec)
>  Flows /Sec /Flow  /Pkt /Sec
> /Flow /Flow
> TCP-Telnet  41  0.05040  0.0 
> 31.3  14.4
> TCP-FTP 87  0.0 765  0.0 
> 17.0  12.1
> TCP-FTPD27  0.0   135   211  0.0 
> 83.0   3.5
> TCP-WWW  43121  0.3 8   335  2.8  
> 3.6   2.7
> TCP-SMTP  1137  0.0 6   173  0.0  
> 9.8   9.7
> TCP-BGP  1  0.0   67368  0.0   
> 1796.8   3.6
> TCP-Frag 2  0.0 140  0.0  
> 0.0  15.5
> TCP-other33285  0.214   246  3.7 
> 24.0  10.3
> UDP-DNS   6005  0.0 173  0.0  
> 1.3  15.4
> UDP-NTP 10  0.0 176  0.0  
> 0.0  15.4
> UDP-other13772  0.1 678  0.7  
> 1.2  15.5
> ICMP  2904  0.0 372  0.0 
> 19.1  15.4
&g

RE: Possible Attack???? [7:59813]

[Priscilla Oppenheimer]

Sending with a source address of 127.x.x.x is often used in IP spoofing. You
should try to find out which station is doing this. It could be compromised.
Of course, it will be hard to find, but if the packets haven't crossed a
router, the MAC address will have a clue. The first six bytes of the MAC
address are a vendor code. Of course, if all your equipment is from one
vendor, that doesn't help much!

The destination address of  108.122.0.0 is strange also. I looked it up in
the ARIN Whois database and it says it's part of a range reserved by IANA.
I'm not sure why it's reserved, but it seems like a suspicious address to use.

So, you're doing the right thing to filter out these packets. 

But you said the problem remained. The other thing I noticed that's strange
is probably unrelated to a possible attack.

Why are 75% of your packets in the 1-32 byte range? Those are illegal runt
frames on Ethernet. Could you have a duplex mismatch problem?? You should
check the output of show int Fa0/1.

Good luck!

Priscilla

[EMAIL PROTECTED] wrote:
> 
> Hi all.  I was wondering if someone can share some light on a
> wierd issues
> that I am seeing.  This perhaps maybe an attack from an
> internal or infected
> host within the network or simply a malfunctioning NIC. 
> Basically, I have a
> Cisco 3662 with 2 Satellite links.  I noticed that the main WAN
> link
> (1.544mb) was bursting outbound to sometimes 20mb.  I noticed a
> lot of
> output drops and the links started to flap and as a result BGP
> sessions
> starting going down causing huge problems.  Once I was able to
> get the BGP
> under control, I enabled Netflow on the inbound interface
> (FE0/1) to see
> what type of traffic could be causing this issue and this is
> when I noticed
> the below:
> 
> 
> Here is the output of the Netflow:
> 
> cisco_3600_one#show ip cache flow 
> IP packet size distribution (4096357 total packets):
>1-32   64   96  128  160  192  224  256  288  320  352  384 
> 416  448
> 480
>.753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000
> .000 .000
> .000
> 
> 512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
>.000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000
> 
> IP Flow Switching Cache, 278544 bytes
>   978 active, 3118 inactive, 121929 added
>   2503952 ager polls, 0 flow alloc failures
>   last clearing of statistics never
> Protocol TotalFlows   Packets Bytes  Packets
> Active(Sec)
> Idle(Sec)
>  Flows /Sec /Flow  /Pkt /Sec
> /Flow /Flow
> TCP-Telnet  41  0.05040  0.0 
> 31.3  14.4
> TCP-FTP 87  0.0 765  0.0 
> 17.0  12.1
> TCP-FTPD27  0.0   135   211  0.0 
> 83.0   3.5
> TCP-WWW  43121  0.3 8   335  2.8  
> 3.6   2.7
> TCP-SMTP  1137  0.0 6   173  0.0  
> 9.8   9.7
> TCP-BGP  1  0.0   67368  0.0   
> 1796.8   3.6
> TCP-Frag 2  0.0 140  0.0  
> 0.0  15.5
> TCP-other33285  0.214   246  3.7 
> 24.0  10.3
> UDP-DNS   6005  0.0 173  0.0  
> 1.3  15.4
> UDP-NTP 10  0.0 176  0.0  
> 0.0  15.4
> UDP-other13772  0.1 678  0.7  
> 1.2  15.5
> ICMP  2904  0.0 372  0.0 
> 19.1  15.4
> IP-other 20559  0.1   14820 24.5  
> 6.8  15.4
> Total:  120951  0.93376 32.2  
> 9.9   9.4
> 
> 
> .
> .
> .
> SrcIf SrcIPaddressDstIf DstIPaddressPr
> SrcP DstP
> Pkts
> Fa0/1 127.0.0.124 Se1/2.500 108.122.0.0 00
>  
> 285 
> Fa0/1 127.0.0.125 Se1/2.500 108.122.0.0 00
>  
> 38 
> Fa0/1 127.0.0.122 Se1/2.500 108.122.0.0 00
>  
> 35 
> Fa0/1 127.0.0.123 Se1/2.500 108.122.0.0 00
>  
> 296 
> Fa0/1 127.0.0.120 Se1/2.500 108.122.0.0 00
>  
> 33 
> Fa0/1 127.0.0.121 Se1/2.500 108.122.0.0 00
>  
> 36 
> Fa0/1 127.0.0.118 Se1/2.500 108.122.0.0 00
>  
> 52 
> Fa0/1 127.0.0.116 Se1/2.500 108.122.0.0 00
>  
> 189 
> Fa0/1 127.0.0.117 Se1/2.500 108.122.0.0 00
>  
> 277 
> Fa0/1 127.0.0.114 Se1/2.500 108.122.0.0 00
>  
> 32 
> Fa0/1 127.0

Possible Attack???? [7:59813]

[[EMAIL PROTECTED]]

Hi all.  I was wondering if someone can share some light on a wierd issues
that I am seeing.  This perhaps maybe an attack from an internal or infected
host within the network or simply a malfunctioning NIC.  Basically, I have a
Cisco 3662 with 2 Satellite links.  I noticed that the main WAN link
(1.544mb) was bursting outbound to sometimes 20mb.  I noticed a lot of
output drops and the links started to flap and as a result BGP sessions
starting going down causing huge problems.  Once I was able to get the BGP
under control, I enabled Netflow on the inbound interface (FE0/1) to see
what type of traffic could be causing this issue and this is when I noticed
the below:


Here is the output of the Netflow:

cisco_3600_one#show ip cache flow 
IP packet size distribution (4096357 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448
480
   .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000
.000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
  978 active, 3118 inactive, 121929 added
  2503952 ager polls, 0 flow alloc failures
  last clearing of statistics never
Protocol TotalFlows   Packets Bytes  Packets Active(Sec)
Idle(Sec)
 Flows /Sec /Flow  /Pkt /Sec /Flow /Flow
TCP-Telnet  41  0.05040  0.0  31.3  14.4
TCP-FTP 87  0.0 765  0.0  17.0  12.1
TCP-FTPD27  0.0   135   211  0.0  83.0   3.5
TCP-WWW  43121  0.3 8   335  2.8   3.6   2.7
TCP-SMTP  1137  0.0 6   173  0.0   9.8   9.7
TCP-BGP  1  0.0   67368  0.01796.8   3.6
TCP-Frag 2  0.0 140  0.0   0.0  15.5
TCP-other33285  0.214   246  3.7  24.0  10.3
UDP-DNS   6005  0.0 173  0.0   1.3  15.4
UDP-NTP 10  0.0 176  0.0   0.0  15.4
UDP-other13772  0.1 678  0.7   1.2  15.5
ICMP  2904  0.0 372  0.0  19.1  15.4
IP-other 20559  0.1   14820 24.5   6.8  15.4
Total:  120951  0.93376 32.2   9.9   9.4


FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ack attack or config prob? [7:56341]

[gogarty]

Hi Garrett,

There are two DOS attacks that I know of that use ACKS called stream.c and
raped.c, the stream.c sends ACK packets to the target with random sequence
numbers and source IP's.  The raped.c sends ACKs with spoofed source IP's
but I believe the sequence numbers are the same.

C
- Original Message -
From: "Garrett Allen" 
To: 
Sent: Sunday, October 27, 2002 3:14 AM
Subject: Re: ack attack or config prob? [7:56341]


> the filter doesn't like special characters.  sorry.  here is another try
> without the less than symbol:
>
> priscilla,
>
> the bursts were less than 2mins each in duration as i recall.  they
occurred
> sporatically through the day.  i have traces and i'll look for more
precise
> timeframes later tonite.  within each burst the packets were from the same
> ip address.  there were at least 2 unique non-contiguous ip addresses
> involved and 1 repeated a burst at least once that we tracked (i.e. at
least
> 2 bursts of 100k packets).
>
> the trace reveals acks and fin acks; no syn or syn ack's noted (my
reference
> to syn acks in the prior email was the only reference i could find on the
ms
> site that discussed their retry implementation, which could cause this if
it
> was unlimited).  firewalls are in place which is why i was going down the
> path of a misconfiguration on our servers.  in theory the firewall vendor
> states that the firewall is doing a stateful inspection and we did see
some
> evidence of packets being dropped at the firewall - but not all.  if the
> session was not previously opened the firewall should drop the ack and fin
> ack's as they are not a valid start of session transmission.  each burst
> contained the same sequence and ack numbers.
>
> i wondered at first if it was our servers that was initiating this
behavior
> pattern.  we did reboot the servers.  urban legend has it (i.e. my
neighbor
> has a friend whose wife's cousin said ...) that unexpected terminations of
> outlook web access can cause this kind of behavior to occur, but it is
just
> legend.  an examination of the trace doesn't point in that direction but i
> need to spend more time reviewing them.  and the problem reoccurred after
> the reboots.
>
> like i said i think it is an interesting issue because there are so many
> possibilities and it forces one to think about all the many things that
can
> go wrong.
>
> thanks for your insights and thoughtful questions.
>
> - Original Message -
> From: "Garrett Allen"
> To:
> Sent: Saturday, October 26, 2002 9:59 PM
> Subject: Re: ack attack or config prob? [7:56341]
>
>
> > priscilla,
> >
> > the bursts were
> > To:
> > Sent: Saturday, October 26, 2002 7:40 PM
> > Subject: RE: ack attack or config prob? [7:56341]
> >
> >
> > > It sounds like you were under attack, though it's hard to say for
sure.
> I
> > > doubt that it's a misconfig on your end, though. It could be a
misconfig
> > at
> > > the other server, but probably not. I don't think you can set the
> > parameters
> > > that badly!? :-)
> > >
> > > It sounds like a DoS attack because of the volume of 100,000 packets.
> > What's
> > > the timeframe, though? You said "burst" so I assume pretty quick.
> > >
> > > Did the problem happen just once or has it reoccured?
> > >
> > > What do any relevant logs show? Do you have a firewall or Intrusion
> > > Detection System that logs info? How about the server itself? Does it
> show
> > > anything in its log?
> > >
> > > Were all the packets to the server?
> > >
> > > Were they ACKs or SYN ACKs? You mentioned both.
> > >
> > > Were they in response to something your server sent?
> > >
> > > Were they always the same ACK number?
> > >
> > > What were the port numbers? You mentioned e-mail, so were the packets
to
> > > port 25 for SMTP? SMTP implementations used to have many security
flaws.
> > > Hopefully those would be fixed in a modern OS, but you never know.
> > >
> > > Usually, DoS attacks are SYNs, but there are probably ones that use
ACKs
> > or
> > > SYN ACKs too. A search on Google might reveal more info.
> > >
> > > Anyway, I think you did the right thing by getting the ISP security
> folks
> > > involved. Keep us posted, unless they recommend that you keep it
quiet.
> > >
> > > ___
> > >
> > > Priscilla Oppenheimer
> > > www.troubleshootingnetworks.com
> > > www.priscilla.com
&g

Re: ack attack or config prob? [7:56341]

[Garrett Allen]

the filter doesn't like special characters.  sorry.  here is another try
without the less than symbol:

priscilla,

the bursts were less than 2mins each in duration as i recall.  they occurred
sporatically through the day.  i have traces and i'll look for more precise
timeframes later tonite.  within each burst the packets were from the same
ip address.  there were at least 2 unique non-contiguous ip addresses
involved and 1 repeated a burst at least once that we tracked (i.e. at least
2 bursts of 100k packets).

the trace reveals acks and fin acks; no syn or syn ack's noted (my reference
to syn acks in the prior email was the only reference i could find on the ms
site that discussed their retry implementation, which could cause this if it
was unlimited).  firewalls are in place which is why i was going down the
path of a misconfiguration on our servers.  in theory the firewall vendor
states that the firewall is doing a stateful inspection and we did see some
evidence of packets being dropped at the firewall - but not all.  if the
session was not previously opened the firewall should drop the ack and fin
ack's as they are not a valid start of session transmission.  each burst
contained the same sequence and ack numbers.

i wondered at first if it was our servers that was initiating this behavior
pattern.  we did reboot the servers.  urban legend has it (i.e. my neighbor
has a friend whose wife's cousin said ...) that unexpected terminations of
outlook web access can cause this kind of behavior to occur, but it is just
legend.  an examination of the trace doesn't point in that direction but i
need to spend more time reviewing them.  and the problem reoccurred after
the reboots.

like i said i think it is an interesting issue because there are so many
possibilities and it forces one to think about all the many things that can
go wrong.

thanks for your insights and thoughtful questions.

- Original Message -
From: "Garrett Allen" 
To: 
Sent: Saturday, October 26, 2002 9:59 PM
Subject: Re: ack attack or config prob? [7:56341]


> priscilla,
>
> the bursts were
> To:
> Sent: Saturday, October 26, 2002 7:40 PM
> Subject: RE: ack attack or config prob? [7:56341]
>
>
> > It sounds like you were under attack, though it's hard to say for sure.
I
> > doubt that it's a misconfig on your end, though. It could be a misconfig
> at
> > the other server, but probably not. I don't think you can set the
> parameters
> > that badly!? :-)
> >
> > It sounds like a DoS attack because of the volume of 100,000 packets.
> What's
> > the timeframe, though? You said "burst" so I assume pretty quick.
> >
> > Did the problem happen just once or has it reoccured?
> >
> > What do any relevant logs show? Do you have a firewall or Intrusion
> > Detection System that logs info? How about the server itself? Does it
show
> > anything in its log?
> >
> > Were all the packets to the server?
> >
> > Were they ACKs or SYN ACKs? You mentioned both.
> >
> > Were they in response to something your server sent?
> >
> > Were they always the same ACK number?
> >
> > What were the port numbers? You mentioned e-mail, so were the packets to
> > port 25 for SMTP? SMTP implementations used to have many security flaws.
> > Hopefully those would be fixed in a modern OS, but you never know.
> >
> > Usually, DoS attacks are SYNs, but there are probably ones that use ACKs
> or
> > SYN ACKs too. A search on Google might reveal more info.
> >
> > Anyway, I think you did the right thing by getting the ISP security
folks
> > involved. Keep us posted, unless they recommend that you keep it quiet.
> >
> > ___
> >
> > Priscilla Oppenheimer
> > www.troubleshootingnetworks.com
> > www.priscilla.com
> >
> > Garrett Allen wrote:
> > >
> > > heys,
> > >
> > > ran into something interesting today.  not sure if it is a dos
> > > attack or if it
> > > indicates an ip stack misconfig. here is the symptom:
> > >
> > > periodically through the day today we received 100,000 packet
> > > bursts on a t-1
> > > circuit.  this is a name-brand provider.  when the burst occurs
> > > it is from the
> > > same ip address.  on some bursts the packets are all acks.  on
> > > others they are
> > > all fin acks.  they are directed at our email servers.  when
> > > they occur the
> > > packets in a burst are all sourced from the same ip address.
> > > in the one case
> > > where we resolved the ip address back it was another orgs email
> > > server.  base

Re: ack attack or config prob? [7:56341]

[Garrett Allen]

priscilla,

the bursts were 
To: 
Sent: Saturday, October 26, 2002 7:40 PM
Subject: RE: ack attack or config prob? [7:56341]


> It sounds like you were under attack, though it's hard to say for sure. I
> doubt that it's a misconfig on your end, though. It could be a misconfig
at
> the other server, but probably not. I don't think you can set the
parameters
> that badly!? :-)
>
> It sounds like a DoS attack because of the volume of 100,000 packets.
What's
> the timeframe, though? You said "burst" so I assume pretty quick.
>
> Did the problem happen just once or has it reoccured?
>
> What do any relevant logs show? Do you have a firewall or Intrusion
> Detection System that logs info? How about the server itself? Does it show
> anything in its log?
>
> Were all the packets to the server?
>
> Were they ACKs or SYN ACKs? You mentioned both.
>
> Were they in response to something your server sent?
>
> Were they always the same ACK number?
>
> What were the port numbers? You mentioned e-mail, so were the packets to
> port 25 for SMTP? SMTP implementations used to have many security flaws.
> Hopefully those would be fixed in a modern OS, but you never know.
>
> Usually, DoS attacks are SYNs, but there are probably ones that use ACKs
or
> SYN ACKs too. A search on Google might reveal more info.
>
> Anyway, I think you did the right thing by getting the ISP security folks
> involved. Keep us posted, unless they recommend that you keep it quiet.
>
> ___
>
> Priscilla Oppenheimer
> www.troubleshootingnetworks.com
> www.priscilla.com
>
> Garrett Allen wrote:
> >
> > heys,
> >
> > ran into something interesting today.  not sure if it is a dos
> > attack or if it
> > indicates an ip stack misconfig. here is the symptom:
> >
> > periodically through the day today we received 100,000 packet
> > bursts on a t-1
> > circuit.  this is a name-brand provider.  when the burst occurs
> > it is from the
> > same ip address.  on some bursts the packets are all acks.  on
> > others they are
> > all fin acks.  they are directed at our email servers.  when
> > they occur the
> > packets in a burst are all sourced from the same ip address.
> > in the one case
> > where we resolved the ip address back it was another orgs email
> > server.  based
> > on the router interface stats the traffic is coming from the
> > outside and is
> > not an internal broadcast storm.
> >
> > per the ms site, "A default-configured Windows NT 3.5x or 4.0
> > computer will
> > retransmit the SYN-ACK 5 times, doubling the time-out value
> > after each
> > retransmission."   if the same logic holds for other parts of
> > the handshake
> > then i'm at a loss to explain tens of thousands of packets
> > unless it is an
> > exploit of a weakness in the stack that allows for virtually
> > unlimited
> > retries.
> >
> > anyone run into this kind of situation before and was the
> > resolution a service
> > pack or other such server upgrade?  it caused considerable
> > slowness on
> > external accesses as you might imagine.  i grabbed a number of
> > traces
> > documenting it and we did contact our provider (they opened a
> > ticket with
> > their security folk).
> >
> > thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56369&t=56341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ack attack or config prob? [7:56341]

[Priscilla Oppenheimer]

It sounds like you were under attack, though it's hard to say for sure. I
doubt that it's a misconfig on your end, though. It could be a misconfig at
the other server, but probably not. I don't think you can set the parameters
that badly!? :-)

It sounds like a DoS attack because of the volume of 100,000 packets. What's
the timeframe, though? You said "burst" so I assume pretty quick.

Did the problem happen just once or has it reoccured? 

What do any relevant logs show? Do you have a firewall or Intrusion
Detection System that logs info? How about the server itself? Does it show
anything in its log?

Were all the packets to the server?

Were they ACKs or SYN ACKs? You mentioned both.

Were they in response to something your server sent?

Were they always the same ACK number?

What were the port numbers? You mentioned e-mail, so were the packets to
port 25 for SMTP? SMTP implementations used to have many security flaws.
Hopefully those would be fixed in a modern OS, but you never know.

Usually, DoS attacks are SYNs, but there are probably ones that use ACKs or
SYN ACKs too. A search on Google might reveal more info.

Anyway, I think you did the right thing by getting the ISP security folks
involved. Keep us posted, unless they recommend that you keep it quiet.

___

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com

Garrett Allen wrote:
> 
> heys,
> 
> ran into something interesting today.  not sure if it is a dos
> attack or if it
> indicates an ip stack misconfig. here is the symptom:
> 
> periodically through the day today we received 100,000 packet
> bursts on a t-1
> circuit.  this is a name-brand provider.  when the burst occurs
> it is from the
> same ip address.  on some bursts the packets are all acks.  on
> others they are
> all fin acks.  they are directed at our email servers.  when
> they occur the
> packets in a burst are all sourced from the same ip address. 
> in the one case
> where we resolved the ip address back it was another orgs email
> server.  based
> on the router interface stats the traffic is coming from the
> outside and is
> not an internal broadcast storm.
> 
> per the ms site, "A default-configured Windows NT 3.5x or 4.0
> computer will
> retransmit the SYN-ACK 5 times, doubling the time-out value
> after each
> retransmission."   if the same logic holds for other parts of
> the handshake
> then i'm at a loss to explain tens of thousands of packets
> unless it is an
> exploit of a weakness in the stack that allows for virtually
> unlimited
> retries.
> 
> anyone run into this kind of situation before and was the
> resolution a service
> pack or other such server upgrade?  it caused considerable
> slowness on
> external accesses as you might imagine.  i grabbed a number of
> traces
> documenting it and we did contact our provider (they opened a
> ticket with
> their security folk).
> 
> thanks.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56365&t=56341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ack attack or config prob? [7:56341]

[Garrett Allen]

mark,

will keep you informed when we do hear from the vendors security folk. as an
aside ethereal (a really great lil' analyzer freely available for download)
had no problem keeping up with the data volumes - but do configure it with
various address translations turned off or it will appear to hang when
dealing with these data volumes.

we are on exchange 5.5 / nt 4 running the latest service packs.  the ms web
site is generally good for technical info but i've not found anything on
this particular set of symptoms which is why i question whether it is an
exploit or a misconfig.

thanks.


- Original Message -
From: "Mark W. Odette II" 
To: 
Sent: Saturday, October 26, 2002 3:41 PM
Subject: RE: ack attack or config prob? [7:56341]


> I don't have an answer to your question, though it does sound like a DoS
> attack to me...
>
> My only input is that if you are running NT 4.0 Servers, definitely
> ensure they are running Service Pack 6a, which you can get from MS's
> site.  Also, if you are running Exchange, make sure you have SP 4
> installed, as it fixes several issues relating to some critical Exchange
> functions.  For more info, review the release notes for both service
> packs before installing.
>
> Let us know what the ISP's security folks find... this would be an
> interesting learning experience.
>
> -Mark
> -Original Message-
> From: Garrett Allen [mailto:garrett.allen@;erols.com]
> Sent: Friday, October 25, 2002 10:51 PM
> To: [EMAIL PROTECTED]
> Subject: ack attack or config prob? [7:56341]
>
> heys,
>
> ran into something interesting today.  not sure if it is a dos attack or
> if
> it
> indicates an ip stack misconfig. here is the symptom:
>
> periodically through the day today we received 100,000 packet bursts on
> a t-1
> circuit.  this is a name-brand provider.  when the burst occurs it is
> from
> the
> same ip address.  on some bursts the packets are all acks.  on others
> they
> are
> all fin acks.  they are directed at our email servers.  when they occur
> the
> packets in a burst are all sourced from the same ip address.  in the one
> case
> where we resolved the ip address back it was another orgs email server.
> based
> on the router interface stats the traffic is coming from the outside and
> is
> not an internal broadcast storm.
>
> per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer
> will
> retransmit the SYN-ACK 5 times, doubling the time-out value after each
> retransmission."   if the same logic holds for other parts of the
> handshake
> then i'm at a loss to explain tens of thousands of packets unless it is
> an
> exploit of a weakness in the stack that allows for virtually unlimited
> retries.
>
> anyone run into this kind of situation before and was the resolution a
> service
> pack or other such server upgrade?  it caused considerable slowness on
> external accesses as you might imagine.  i grabbed a number of traces
> documenting it and we did contact our provider (they opened a ticket
> with
> their security folk).
>
> thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56362&t=56341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ack attack or config prob? [7:56341]

[Mark W. Odette II]

I don't have an answer to your question, though it does sound like a DoS
attack to me...

My only input is that if you are running NT 4.0 Servers, definitely
ensure they are running Service Pack 6a, which you can get from MS's
site.  Also, if you are running Exchange, make sure you have SP 4
installed, as it fixes several issues relating to some critical Exchange
functions.  For more info, review the release notes for both service
packs before installing.

Let us know what the ISP's security folks find... this would be an
interesting learning experience.

-Mark
-Original Message-
From: Garrett Allen [mailto:garrett.allen@;erols.com] 
Sent: Friday, October 25, 2002 10:51 PM
To: [EMAIL PROTECTED]
Subject: ack attack or config prob? [7:56341]

heys,

ran into something interesting today.  not sure if it is a dos attack or
if
it
indicates an ip stack misconfig. here is the symptom:

periodically through the day today we received 100,000 packet bursts on
a t-1
circuit.  this is a name-brand provider.  when the burst occurs it is
from
the
same ip address.  on some bursts the packets are all acks.  on others
they
are
all fin acks.  they are directed at our email servers.  when they occur
the
packets in a burst are all sourced from the same ip address.  in the one
case
where we resolved the ip address back it was another orgs email server. 
based
on the router interface stats the traffic is coming from the outside and
is
not an internal broadcast storm.

per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer
will
retransmit the SYN-ACK 5 times, doubling the time-out value after each
retransmission."   if the same logic holds for other parts of the
handshake
then i'm at a loss to explain tens of thousands of packets unless it is
an
exploit of a weakness in the stack that allows for virtually unlimited
retries.

anyone run into this kind of situation before and was the resolution a
service
pack or other such server upgrade?  it caused considerable slowness on
external accesses as you might imagine.  i grabbed a number of traces
documenting it and we did contact our provider (they opened a ticket
with
their security folk).

thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56360&t=56341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ack attack or config prob? [7:56341]

[Garrett Allen]

heys,

ran into something interesting today.  not sure if it is a dos attack or if
it
indicates an ip stack misconfig. here is the symptom:

periodically through the day today we received 100,000 packet bursts on a t-1
circuit.  this is a name-brand provider.  when the burst occurs it is from
the
same ip address.  on some bursts the packets are all acks.  on others they
are
all fin acks.  they are directed at our email servers.  when they occur the
packets in a burst are all sourced from the same ip address.  in the one case
where we resolved the ip address back it was another orgs email server. 
based
on the router interface stats the traffic is coming from the outside and is
not an internal broadcast storm.

per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer will
retransmit the SYN-ACK 5 times, doubling the time-out value after each
retransmission."   if the same logic holds for other parts of the handshake
then i'm at a loss to explain tens of thousands of packets unless it is an
exploit of a weakness in the stack that allows for virtually unlimited
retries.

anyone run into this kind of situation before and was the resolution a
service
pack or other such server upgrade?  it caused considerable slowness on
external accesses as you might imagine.  i grabbed a number of traces
documenting it and we did contact our provider (they opened a ticket with
their security folk).

thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56341&t=56341
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Virus Attack and how to tackle it? [7:44936]

[Alfredo Pulido]

You look this page from Cisco.

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml


I hope this help.

--
--
 Alfredo Pulido   [EMAIL PROTECTED]
CCDA
 Dept. Sistemas, IdecNet S.A.
 Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria,
 Las Palmas // SPAIN
 Tel: +34 828 111 000   Fax: +34 828 111 112
 http://www.idecnet.com/
--
""a. ahmad""  escribis en el mensaje
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear Members,
>
> 1-We are getting Virus attack message on our proxy(Squid)Machine not only
> from our own IP Pool but also from outside, Please guide how to tackle it
as
> it is constantly chocking our Bandwidth. i.e. one of the virus attack
> message we are getting on our proxy(squid) machine is as under:-
>
> 106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get
> http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? -
> DIRECT/www -
>
> 106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get
>
http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1
c../winnt/system32/cmd.exe? - DIRECT/www -
>
> 106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get
> http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -
>
> 106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get
> http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -
>
> 106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get
> http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www -
>
>

...etc etc
>
> 2- we want to trace that which IP's are utilizing our maximum bandwidtth
so
> that we can limit that trafiic accordingly in order to get Maximum
efficiency?
>
> Thank you in advance!
> Ahmad




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44939&t=44936
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Virus Attack and how to tackle it? [7:44936]

[[EMAIL PROTECTED]]

Hi,

This is a trace of Nimda and code Red wormFirst thing you can do is Run
a Nimda/code Red scanner in your network and then Apply IIS patch for all
the affected Microsoft  Server.Also you can secure your Network perimeter
by configuring NBAR on cisco routers or if you have  a content switch you
can try filtering Nimda on that...or if you have an IDS,you can configure
shunning the source.

Kind Regards /Thangavel

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall ."
 -- Nelson Mandela




   
   
"a.
ahmad"
  
cc:
Sent by: Fax
to:
nobody@groupsSubject:     Virus Attack and how
to tackle it? [7:44936]
   
tudy.com
   
   
   
   
   
24/05/2002
   
08:16
   
Please
respond
to
"a.
ahmad"
   
   
   
   




Dear Members,

1-We are getting Virus attack message on our proxy(Squid)Machine not only
from our own IP Pool but also from outside, Please guide how to tackle it
as
it is constantly chocking our Bandwidth. i.e. one of the virus attack
message we are getting on our proxy(squid) machine is as under:-

106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get
http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? -
DIRECT/www -

106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get
http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?
 - DIRECT/www -

106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -

106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -

106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www -

...etc

etc

2- we want to trace that which IP's are utilizing our maximum bandwidtth so
that we can limit that trafiic accordingly in order to get Maximum
efficiency?

Thank you in advance!
Ahmad
**
This e-mail is from 186k Ltd and is intended only for the 
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named 
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England 
& Wales No. 3751494 Registered Office 130 Jermyn Street 
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44938&t=44936
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Virus Attack and how to tackle it? [7:44936]

[a. ahmad]

Dear Members,

1-We are getting Virus attack message on our proxy(Squid)Machine not only
from our own IP Pool but also from outside, Please guide how to tackle it as
it is constantly chocking our Bandwidth. i.e. one of the virus attack
message we are getting on our proxy(squid) machine is as under:-

106226.976 5 202.192.204.130 TCP_Miss/503 1210 Get
http://www/_mem_bin/..%255c../..%255../..%255../winnt/system32/cmd.exe? -
DIRECT/www -

106228.156 6 202.192.204.130 TCP_Miss/503 1266 Get
http://www/msadc/..%255c../..%255c../..%255c../..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?
 - DIRECT/www -

106229.324 3 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c1%1c../winnt/system32/cmd.exe? - DIRECT/www -

106230.625 23 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c0%2f../winnt/system32/cmd.exe? - DIRECT/www -

106231.841 8 202.192.204.130 TCP_Miss/503 1170 Get
http://www/Scripts/..%c0%af../winnt/system32/cmd.exe? - DIRECT/www -

...etc
 etc 

2- we want to trace that which IP's are utilizing our maximum bandwidtth so
that we can limit that trafiic accordingly in order to get Maximum efficiency?

Thank you in advance!
Ahmad




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44936&t=44936
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: info on virus attack [7:37798]

[Gaz]

Hi Paul,

Sorry, I neglected to defend the group there, but you are of course correct.
The virus was always direct to me, not through your server.
It's never normally a problem, just clean or delete, I just messed up and
used my work e-mail for a while some time ago, so I got nagged by our net
admins during the spate of virus's.
Sh*t happens when you're stupid  :-)

Gaz

""Paul Borghese""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> What are you guys talking about?  It is highly unlikely  that a Virus will
> go through the server as all messages are stripped of their attachments
and
> converted to plain-text before posting.  Plus messages that look like they
> could contain (or at one time did contain) viruses are filtered.
>
> What could happen is someone catches a virus and the virus scans the
inbox.
> Of course the Inbox is full of messages from this list.  The virus then
> proceeds to send itself to everyone who has posted to the list and thus
has
> a message in the client Inbox.  Unfortunately GroupStudy can not stop it
as
> the virus is never propagated through the server.
>
> One way to prevent this is to use the web discussion board to participate
> where a valid e-mail address is not required (in fact you have the option
of
> putting any e-mail address you desire as your public address).  That way,
> you can not be forwarded viruses - of course you also eliminate private
> e-mail concerning your posting.
>
> Take care,
>
> Paul Borghese
>
>
>
> - Original Message -
> From: "edna helem"
> To:
> Sent: Sunday, March 10, 2002 1:18 PM
> Subject: Re: info on virus attack [7:37798]
>
>
> > Gaz,
> >
> > You sent out an email re: virus being sent by [EMAIL PROTECTED]  I
> am
> > the wife of Abdi.  Let me explain to you and others concerned.  My
husband
> > and I ordered DSL with verizon about 12 days ago.  We did not have a
> > firewall or virus software installed.  After about 3 days of servi our
> > computer began to lock up and finally we had no service at all.  I had
> been
> > troubleshooting with verizon tech support for about 5 days before they
> could
> > tell me that there was a virus on my computer.  I immediately went out
and
> > purchased the McAfee firewall and virus protection software.  The virus
> > appears to have been removed.  I still do not have DSL service.  I am
> using
> > a dial-up connection.  The name of the virus was the SirCam virus.  I
> found
> > out that the email was being propagated outside of my computer through
> your
> > email to the cisco study group in which I am a member.  I apologize for
> any
> > inconvenience, but we had no idea what has been going on.  Verizon tech
> > support had me contact [EMAIL PROTECTED] by email to try and resolve
> this
> > problem.  They are not accessible by phone and their response to me by
> email
> > has been that they have received my email and due to so many cases it
may
> > take a few days to follow up with an investigation.  It has been 4 days.
> > Does anyone have any suggestions on who I can contact at verizon and
their
> > phone number?
> >
> >
> > >From: "Gaz"
> > >Reply-To: "Gaz"
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: Serial (X.21) X-over cables [7:35212]
> > >Date: Wed, 13 Feb 2002 19:31:39 -0500
> > >
> > >Joel,
> > >
> > >Have a look at www.kg2.com
> > >Kelly Griffin used to post to the group. Not heard of him for a while.
> I've
> > >noticed he's doing some DB60 to RJ45 converters from March 2002 for
> around
> > >20 dollars, so one of each DCE/DTE for 40 dollars and you're away -
> > >whatever
> > >length you want, and I believe the full crossover cables were around 25
> > >dollars.
> > >
> > >I must add I have no links with Kelly or the company and not enough
> > >knowledge of them to recommend, but prices look decent and I know he's
> been
> > >around a while now.
> > >I keep meaning to buy the same but never got round to it.
> > >
> > >Gaz
> > >
> > >""Joel Satterley""  wrote in message
> > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT
> > >crossover
> > > > equivalent ?
> > > >
> > > > I need to use some back to back serial connections without using a
> > >kilostream
> > > > simulator.
> > > >
> > > > Any help would be gratefully rec'd.
> > > >
> > > > Thanks.
> > _
> > Join the worlds largest e-mail service with MSN Hotmail.
> > http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37817&t=37798
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: info on virus attack [7:37798]

[Paul Borghese]

What are you guys talking about?  It is highly unlikely  that a Virus will
go through the server as all messages are stripped of their attachments and
converted to plain-text before posting.  Plus messages that look like they
could contain (or at one time did contain) viruses are filtered.

What could happen is someone catches a virus and the virus scans the inbox.
Of course the Inbox is full of messages from this list.  The virus then
proceeds to send itself to everyone who has posted to the list and thus has
a message in the client Inbox.  Unfortunately GroupStudy can not stop it as
the virus is never propagated through the server.

One way to prevent this is to use the web discussion board to participate
where a valid e-mail address is not required (in fact you have the option of
putting any e-mail address you desire as your public address).  That way,
you can not be forwarded viruses - of course you also eliminate private
e-mail concerning your posting.

Take care,

Paul Borghese



- Original Message -
From: "edna helem" 
To: 
Sent: Sunday, March 10, 2002 1:18 PM
Subject: Re: info on virus attack [7:37798]


> Gaz,
>
> You sent out an email re: virus being sent by [EMAIL PROTECTED]  I
am
> the wife of Abdi.  Let me explain to you and others concerned.  My husband
> and I ordered DSL with verizon about 12 days ago.  We did not have a
> firewall or virus software installed.  After about 3 days of servi our
> computer began to lock up and finally we had no service at all.  I had
been
> troubleshooting with verizon tech support for about 5 days before they
could
> tell me that there was a virus on my computer.  I immediately went out and
> purchased the McAfee firewall and virus protection software.  The virus
> appears to have been removed.  I still do not have DSL service.  I am
using
> a dial-up connection.  The name of the virus was the SirCam virus.  I
found
> out that the email was being propagated outside of my computer through
your
> email to the cisco study group in which I am a member.  I apologize for
any
> inconvenience, but we had no idea what has been going on.  Verizon tech
> support had me contact [EMAIL PROTECTED] by email to try and resolve
this
> problem.  They are not accessible by phone and their response to me by
email
> has been that they have received my email and due to so many cases it may
> take a few days to follow up with an investigation.  It has been 4 days.
> Does anyone have any suggestions on who I can contact at verizon and their
> phone number?
>
>
> >From: "Gaz"
> >Reply-To: "Gaz"
> >To: [EMAIL PROTECTED]
> >Subject: Re: Serial (X.21) X-over cables [7:35212]
> >Date: Wed, 13 Feb 2002 19:31:39 -0500
> >
> >Joel,
> >
> >Have a look at www.kg2.com
> >Kelly Griffin used to post to the group. Not heard of him for a while.
I've
> >noticed he's doing some DB60 to RJ45 converters from March 2002 for
around
> >20 dollars, so one of each DCE/DTE for 40 dollars and you're away -
> >whatever
> >length you want, and I believe the full crossover cables were around 25
> >dollars.
> >
> >I must add I have no links with Kelly or the company and not enough
> >knowledge of them to recommend, but prices look decent and I know he's
been
> >around a while now.
> >I keep meaning to buy the same but never got round to it.
> >
> >Gaz
> >
> >""Joel Satterley""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT
> >crossover
> > > equivalent ?
> > >
> > > I need to use some back to back serial connections without using a
> >kilostream
> > > simulator.
> > >
> > > Any help would be gratefully rec'd.
> > >
> > > Thanks.
> _
> Join the worlds largest e-mail service with MSN Hotmail.
> http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37809&t=37798
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: info on virus attack [7:37798]

[Gaz]

Hi Edna,

Good to hear you're all cleaned up again. There seems to be a different
contact number for every state. You can probably pick yours from the page
below (although I don't think this is for security):

http://www.verizon.net/contact/

Thanks for the update, although I knew which virus it was, I think I
received it about 18 times in all :-)

Do me a favour though - don't put me in your address book :-)

Good luck,

Gaz


""edna helem""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Gaz,
>
> You sent out an email re: virus being sent by [EMAIL PROTECTED]  I
am
> the wife of Abdi.  Let me explain to you and others concerned.  My husband
> and I ordered DSL with verizon about 12 days ago.  We did not have a
> firewall or virus software installed.  After about 3 days of servi our
> computer began to lock up and finally we had no service at all.  I had
been
> troubleshooting with verizon tech support for about 5 days before they
could
> tell me that there was a virus on my computer.  I immediately went out and
> purchased the McAfee firewall and virus protection software.  The virus
> appears to have been removed.  I still do not have DSL service.  I am
using
> a dial-up connection.  The name of the virus was the SirCam virus.  I
found
> out that the email was being propagated outside of my computer through
your
> email to the cisco study group in which I am a member.  I apologize for
any
> inconvenience, but we had no idea what has been going on.  Verizon tech
> support had me contact [EMAIL PROTECTED] by email to try and resolve
this
> problem.  They are not accessible by phone and their response to me by
email
> has been that they have received my email and due to so many cases it may
> take a few days to follow up with an investigation.  It has been 4 days.
> Does anyone have any suggestions on who I can contact at verizon and their
> phone number?
>
>
> >From: "Gaz"
> >Reply-To: "Gaz"
> >To: [EMAIL PROTECTED]
> >Subject: Re: Serial (X.21) X-over cables [7:35212]
> >Date: Wed, 13 Feb 2002 19:31:39 -0500
> >
> >Joel,
> >
> >Have a look at www.kg2.com
> >Kelly Griffin used to post to the group. Not heard of him for a while.
I've
> >noticed he's doing some DB60 to RJ45 converters from March 2002 for
around
> >20 dollars, so one of each DCE/DTE for 40 dollars and you're away -
> >whatever
> >length you want, and I believe the full crossover cables were around 25
> >dollars.
> >
> >I must add I have no links with Kelly or the company and not enough
> >knowledge of them to recommend, but prices look decent and I know he's
been
> >around a while now.
> >I keep meaning to buy the same but never got round to it.
> >
> >Gaz
> >
> >""Joel Satterley""  wrote in message
> >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT
> >crossover
> > > equivalent ?
> > >
> > > I need to use some back to back serial connections without using a
> >kilostream
> > > simulator.
> > >
> > > Any help would be gratefully rec'd.
> > >
> > > Thanks.
> _
> Join the worlds largest e-mail service with MSN Hotmail.
> http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37800&t=37798
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: info on virus attack [7:37798]

[edna helem]

Gaz,

You sent out an email re: virus being sent by [EMAIL PROTECTED]  I am 
the wife of Abdi.  Let me explain to you and others concerned.  My husband 
and I ordered DSL with verizon about 12 days ago.  We did not have a 
firewall or virus software installed.  After about 3 days of servi our 
computer began to lock up and finally we had no service at all.  I had been 
troubleshooting with verizon tech support for about 5 days before they could 
tell me that there was a virus on my computer.  I immediately went out and 
purchased the McAfee firewall and virus protection software.  The virus 
appears to have been removed.  I still do not have DSL service.  I am using 
a dial-up connection.  The name of the virus was the SirCam virus.  I found 
out that the email was being propagated outside of my computer through your 
email to the cisco study group in which I am a member.  I apologize for any 
inconvenience, but we had no idea what has been going on.  Verizon tech 
support had me contact [EMAIL PROTECTED] by email to try and resolve this 
problem.  They are not accessible by phone and their response to me by email 
has been that they have received my email and due to so many cases it may 
take a few days to follow up with an investigation.  It has been 4 days.  
Does anyone have any suggestions on who I can contact at verizon and their 
phone number?


>From: "Gaz" 
>Reply-To: "Gaz" 
>To: [EMAIL PROTECTED]
>Subject: Re: Serial (X.21) X-over cables [7:35212]
>Date: Wed, 13 Feb 2002 19:31:39 -0500
>
>Joel,
>
>Have a look at www.kg2.com
>Kelly Griffin used to post to the group. Not heard of him for a while. I've
>noticed he's doing some DB60 to RJ45 converters from March 2002 for around
>20 dollars, so one of each DCE/DTE for 40 dollars and you're away - 
>whatever
>length you want, and I believe the full crossover cables were around 25
>dollars.
>
>I must add I have no links with Kelly or the company and not enough
>knowledge of them to recommend, but prices look decent and I know he's been
>around a while now.
>I keep meaning to buy the same but never got round to it.
>
>Gaz
>
>""Joel Satterley""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Anyone know the Cisco part number (or pin-outs) for the Cab-x.21MT
>crossover
> > equivalent ?
> >
> > I need to use some back to back serial connections without using a
>kilostream
> > simulator.
> >
> > Any help would be gratefully rec'd.
> >
> > Thanks.
_
Join the worlds largest e-mail service with MSN Hotmail. 
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37798&t=37798
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Brutal Attack! [7:37087]

[John Allhiser]

Congrats! I know how you feel.
There will be more celebrating while studying for the lab.




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeff D
Sent: Saturday, March 02, 2002 5:38 PM
To: [EMAIL PROTECTED]
Subject: Brutal Attack! [7:37087]


Just passed the Written.

Cheers and now beers!

Jeff D




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37092&t=37087
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Brutal Attack! [7:37087]

[Juan Blanco]

Jeff

Congratulations..please drink 7 on me, now the fun begins(be ready for
the lab).

JB

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeff D
Sent: Saturday, March 02, 2002 5:38 PM
To: [EMAIL PROTECTED]
Subject: Brutal Attack! [7:37087]


Just passed the Written.

Cheers and now beers!

Jeff D




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37091&t=37087
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Brutal Attack! [7:37087]

[Larry Letterman]

Congrats, Jeff..
a well deserved round of beers...


Larry Letterman
Cisco Systems
[EMAIL PROTECTED] 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeff D
Sent: Saturday, March 02, 2002 2:38 PM
To: [EMAIL PROTECTED]
Subject: Brutal Attack! [7:37087]


Just passed the Written.

Cheers and now beers!

Jeff D




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37089&t=37087
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Brutal Attack! [7:37087]

[Jeff D]

Just passed the Written.

Cheers and now beers!

Jeff D




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37087&t=37087
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Muhammad Alkhattab]

I just ran a scan from symantec and I do have 100 infected files.I am now
downloading the virus protected software.Thanks for your understanding Paul.
This is for those who think I am an Arab,Which is fine with me.Because I am
proud of who I am and what I believe in.I was born and raise in  Trinidad
and Tobago West Indies  and my ancestors are from Africa and I reverted  to
Islam since 1974(27 years) which included changing my name from a Christian
name to a Muslim name.I my heart I have no color and no nationality.I hurt
when I see pain all over the world.This much I would say about myself.

Muhammad  Alkhattab
- Original Message -
From: "Paul Borghese" 
To: "Muhammad Alkhattab" 
Sent: Saturday, December 15, 2001 12:26 AM
Subject: Re: This Arab tried to attack me. [7:29190]


> I have receive a number of e-mails that look like they originated from you
> with viruses attached.   Plus I have receive complaints from others about
> receiving viruses from you.  Not that you did this malicious.  Just the
> automated type that is sent out after an infection.  It happens to all of
> us.  You may want to scan your system for viruses just to be safe.
>
>  Of course it could be an imposter because the e-mails always had the from
> address of [EMAIL PROTECTED]  Notice the _ in the e-mail address.
>
> Take care,
>
> Paul
> - Original Message -
> From: "Muhammad Alkhattab" 
> To: 
> Sent: Saturday, December 15, 2001 12:54 AM
> Subject: Re: This Arab tried to attack me. [7:29190]
>
>
> > Who ever you are.I have never sent you any virus.I myself has been
> receiving
> > spams(mails that have never sent).
> >
> > Muhammad  Alkhattab
> > - Original Message -
> > From: "Jon Street"
> > To:
> > Sent: Friday, December 14, 2001 8:56 AM
> > Subject: This Arab tried to attack me. [7:29190]
> >
> >
> > > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken

> > > offence to my statments about those who said on this fourm about us
> > needing
> > > to understand the terrorists issues and why they are so angry with us.
> > This
> > > little worm tried sending me viruses to screw up my computer. I just
> > wanted
> > > to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29278&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Paul Borghese]

Hey it happens to the best of us.  Read this news article about how Cisco
recently sent a virus to the NANOG mailing list.  The title is "Cisco
Release of Goner Worm Raises Eyebrows".

http://www.newsbytes.com/news/01/172978.html


Paul Borghese



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29273&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Muhammad Alkhattab]

Who ever you are.I have never sent you any virus.I myself has been receiving
spams(mails that have never sent).

Muhammad  Alkhattab
- Original Message -
From: "Jon Street" 
To: 
Sent: Friday, December 14, 2001 8:56 AM
Subject: This Arab tried to attack me. [7:29190]


> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us
needing
> to understand the terrorists issues and why they are so angry with us.
This
> little worm tried sending me viruses to screw up my computer. I just
wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29265&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Tom Lisa]

IP Security! Isn't that a contradiction in terms? :)

Prof. Tom Lisa, CCAI
Community College of Southern Nevada
Cisco Regional Networking Academy

Steve Smith wrote:

> Hey you left out us Mexicans! I agree. We must get 100's of virus sent
> to us that are caught, we even get them sent from our LAWYERS.well
> go figure on that. It's NOT a personal attack, although that has
> happened, but it's what we have to live with these days. Anyway, just go
> with the flow, keep your signatures updated, filter like a murf and all
> should be fine. Now back to our previously scheduled
> discussion..IPSEC, what does it stand for and how do I use it. :>
>
> -Original Message-
> From: Hehdili Nizar [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 14, 2001 1:29 PM
> To: [EMAIL PROTECTED]
> Subject: Re: This Arab tried to attack me. [7:29190]
>
> For your genral culture I m ARABIC , somtimes  I receive viruses from
> messages in this board and other messages  from many people in multiple
> countries , I do not consider them personal attacks and I m not angry
> with
> no body , this board is  for arabs ,  Jews , US citzens , chineese
> ..to
> share their technical knowlege  and exchange experiences , not for off
> topics.
> If you have problems with this guy , please treat with him directly and
> let
> this board for Cisco subjects.
> "Jon Street"  a icrit dans le message :
> [EMAIL PROTECTED]
> > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> > offence to my statments about those who said on this fourm about us
> needing
> > to understand the terrorists issues and why they are so angry with us.
> This
> > little worm tried sending me viruses to screw up my computer. I just
> wanted
> > to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29263&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Hehdili Nizar]

IPSEC stands for a standard for IP encryption , it uses multiple algorithms
for encrypting IP data .
you can use it in routers , firewalls , dedicated hardware boxes and with
some software clients.
with IP sec you can use encrypted tunnels to send your traffic over internet
or intranet and you can use it between any type of the last devices.
You need a good design to use it well , tell us more what are your needs and
what is your environment and we would  try to find the best  suitable
solution for you.
"Steve Smith"  a icrit dans le message :
[EMAIL PROTECTED]
> Hey you left out us Mexicans! I agree. We must get 100's of virus sent
> to us that are caught, we even get them sent from our LAWYERS.well
> go figure on that. It's NOT a personal attack, although that has
> happened, but it's what we have to live with these days. Anyway, just go
> with the flow, keep your signatures updated, filter like a murf and all
> should be fine. Now back to our previously scheduled
> discussion..IPSEC, what does it stand for and how do I use it. :>
>
> -Original Message-
> From: Hehdili Nizar [mailto:[EMAIL PROTECTED]]
> Sent: Friday, December 14, 2001 1:29 PM
> To: [EMAIL PROTECTED]
> Subject: Re: This Arab tried to attack me. [7:29190]
>
>
> For your genral culture I m ARABIC , somtimes  I receive viruses from
> messages in this board and other messages  from many people in multiple
> countries , I do not consider them personal attacks and I m not angry
> with
> no body , this board is  for arabs ,  Jews , US citzens , chineese
> ..to
> share their technical knowlege  and exchange experiences , not for off
> topics.
> If you have problems with this guy , please treat with him directly and
> let
> this board for Cisco subjects.
> "Jon Street"  a icrit dans le message :
> [EMAIL PROTECTED]
> > Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> > offence to my statments about those who said on this fourm about us
> needing
> > to understand the terrorists issues and why they are so angry with us.
> This
> > little worm tried sending me viruses to screw up my computer. I just
> wanted
> > to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29252&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: This Arab tried to attack me. [7:29190]

[Steve Smith]

Hey you left out us Mexicans! I agree. We must get 100's of virus sent
to us that are caught, we even get them sent from our LAWYERS.well
go figure on that. It's NOT a personal attack, although that has
happened, but it's what we have to live with these days. Anyway, just go
with the flow, keep your signatures updated, filter like a murf and all
should be fine. Now back to our previously scheduled
discussion..IPSEC, what does it stand for and how do I use it. :>

-Original Message-
From: Hehdili Nizar [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 14, 2001 1:29 PM
To: [EMAIL PROTECTED]
Subject: Re: This Arab tried to attack me. [7:29190]


For your genral culture I m ARABIC , somtimes  I receive viruses from
messages in this board and other messages  from many people in multiple
countries , I do not consider them personal attacks and I m not angry
with
no body , this board is  for arabs ,  Jews , US citzens , chineese
..to
share their technical knowlege  and exchange experiences , not for off
topics.
If you have problems with this guy , please treat with him directly and
let
this board for Cisco subjects.
"Jon Street"  a icrit dans le message :
[EMAIL PROTECTED]
> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us
needing
> to understand the terrorists issues and why they are so angry with us.
This
> little worm tried sending me viruses to screw up my computer. I just
wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29238&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: This Arab tried to attack me. [7:29190]

[Steve Smith]

Hey you left out us Mexicans! I agree. We must get 100's of virus sent
to us that are caught, we even get them sent from our LAWYERS.well
go figure on that. It's NOT a personal attack, although that has
happened, but it's what we have to live with these days. Anyway, just go
with the flow, keep your signatures updated, filter like a murf and all
should be fine. Now back to our previously scheduled
discussion..IPSEC, what does it stand for and how do I use it. :>

-Original Message-
From: Hehdili Nizar [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 14, 2001 1:29 PM
To: [EMAIL PROTECTED]
Subject: Re: This Arab tried to attack me. [7:29190]


For your genral culture I m ARABIC , somtimes  I receive viruses from
messages in this board and other messages  from many people in multiple
countries , I do not consider them personal attacks and I m not angry
with
no body , this board is  for arabs ,  Jews , US citzens , chineese
..to
share their technical knowlege  and exchange experiences , not for off
topics.
If you have problems with this guy , please treat with him directly and
let
this board for Cisco subjects.
"Jon Street"  a icrit dans le message :
[EMAIL PROTECTED]
> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us
needing
> to understand the terrorists issues and why they are so angry with us.
This
> little worm tried sending me viruses to screw up my computer. I just
wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29238&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Hehdili Nizar]

For your genral culture I m ARABIC , somtimes  I receive viruses from
messages in this board and other messages  from many people in multiple
countries , I do not consider them personal attacks and I m not angry with
no body , this board is  for arabs ,  Jews , US citzens , chineese ..to
share their technical knowlege  and exchange experiences , not for off
topics.
If you have problems with this guy , please treat with him directly and let
this board for Cisco subjects.
"Jon Street"  a icrit dans le message :
[EMAIL PROTECTED]
> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us
needing
> to understand the terrorists issues and why they are so angry with us.
This
> little worm tried sending me viruses to screw up my computer. I just
wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29219&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Patrick Ramsey]

Can we just invest in a decent mail reader?  Or maybe download pegasus..it's
free!  Anyone for elm?

>>> "Chris White"  12/14/01 11:55AM >>>
I have received numerous viruses from people on this list including
the individual you mentioned. I do not consider them personal attacks.
This message on the other hand.

This type of nonsense just feeds ignorance and hatred and is
inappropriate for this forum.


On Fri, 14 Dec 2001, Jon Street wrote:

> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us needing
> to understand the terrorists issues and why they are so angry with us. 
This
> little worm tried sending me viruses to screw up my computer. I just wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29214&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Chris White]

I have received numerous viruses from people on this list including
the individual you mentioned. I do not consider them personal attacks.
This message on the other hand.

This type of nonsense just feeds ignorance and hatred and is
inappropriate for this forum.


On Fri, 14 Dec 2001, Jon Street wrote:

> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us needing
> to understand the terrorists issues and why they are so angry with us. 
This
> little worm tried sending me viruses to screw up my computer. I just wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29199&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: This Arab tried to attack me. [7:29190]

[Mike Sweeney]

Worm?  If I said that about all the viruses I have had pop up here in the
last few months, I'd have no friends left at all. I personally think he got
tagged and that it was unintentional on his part.

MikeS



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29203&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: This Arab tried to attack me. [7:29190]

[Paul Borghese]

He is infected with a virus and is sending that worm to everyone that posts.
He probably does not even know that he is infected.  Just every message he
receives gets a little thank-you note from the virus.  You are probably now
going to start  a backlash on GroupStudy that we do not need.   Frankly I
think you owe him and the Arab community an apology.

Last week, I removed him from the list. But any message sent before the
removal will still receive the virus.  Of course he is more then welcome to
return once the virus has been cleaned.

Paul
- Original Message -
From: ""Jon Street"" 
Newsgroups: groupstudy.cisco
Sent: Friday, December 14, 2001 8:56 AM
Subject: This Arab tried to attack me. [7:29190]


> Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
> offence to my statments about those who said on this fourm about us
needing
> to understand the terrorists issues and why they are so angry with us.
This
> little worm tried sending me viruses to screw up my computer. I just
wanted
> to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29198&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

This Arab tried to attack me. [7:29190]

[Jon Street]

Muhammad Alkhattab e-mail address [EMAIL PROTECTED] must have taken
offence to my statments about those who said on this fourm about us needing
to understand the terrorists issues and why they are so angry with us.  This
little worm tried sending me viruses to screw up my computer. I just wanted
to let everyone know who this person is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29190&t=29190
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

What steps to take under *any* attack? [7:23336]

[Ryan Ngai Hon Kong]

Hi!

I have a couple of question with regards to the security attack (for
beginners
like me!), if you suspect this will happen to you. Say you have a PIX with
cisco
router, your inbound traffic is very high and the PIX logs is filling up
with
lots of port scanning, connection drop, DoS attack, nimda and etc.. what
would you do
at first place? Any steps or procedure people practices?

As for my suggestion, if the logs show http attack (base on the destination
port),
I will intend to debug ip http traffic in the router, then probably ip icmp
traffic. If by most of the traffic is inbound, I would immediately apply the
access-list to filter all the inbound http traffic.

Any suggestion?
Regards,
Ryan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=23336&t=23336
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Denial of service attack prevention [7:19568]

[Haydn Solomon]

That's some really good information. I'll definitely have to look into
taking some of these measures. You can never be too secure. If I find
any other strategies on the router side I'll post it. Thanks a lot guys.

-- Haydn

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Brian Whalen
Sent: Thursday, September 13, 2001 3:01 PM
To: [EMAIL PROTECTED]
Subject: Re: Denial of service attack prevention [7:19568]

Heres a good solaris security article, likey applicable to other nixes..

http://www.samag.com/articles/2000/0013/0013c/0013c.htm

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Thu, 13 Sep 2001, MADMAN wrote:

> I don't know what else on the router you could do but there are things
> you can do on your host but not being a sys admin I can't get into
> details.  Check this out:
>
> http://www.cisco.com/warp/public/707/4.html
>
>   Dave
>
> Haydn Solomon wrote:
> >
> > Actually I was asking what OTHER means than tcp intercept there was
> > because we don't have the version that supports it. Can you answer
that?
> > I know that our version doesn't cause I checked with the "?" feature
and
> > the option isn't there. In any case here is a copy of the sh ver.
> >
> > Cisco Internetwork Operating System Software
> > IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE
SOFTWARE
> > (fc1)
> > Copyright (c) 1986-2000 by cisco Systems, Inc.
> > Compiled Wed 27-Dec-00 13:54 by linda
> > Image text-base: 0x60010930, data-base: 0x60C46000
> >
> > ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE
> > SOFTWARE (fc1)
> > BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY
> > DEPLOYMENT RELEASE SOFTWARE (fc1)
> >
> > -- Haydn
> >
> > -Original Message-
> > From: MADMAN [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 12, 2001 11:05 AM
> > To: Haydn Solomon
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Denial of service attack prevention [7:19568]
> >
> >   send a sh ver of your router, not all platforms support TCP
Intercept.
> >
> >   Dave
> >
> > Haydn Solomon wrote:
> > >
> > > Hi all,
> > >
> > > I was recently reading an article on ciscos site about strategies
for
> > > preventing denial of service attacks. They mentioned the ip
intercept
> > > configuration feature for IOS version 11.3. However our routers
are
> > > running version 12.0 and doesnt have that feature. Does anyone
out
> > > there know what other effective strategies can be used to prevent
this
> > > kind of attack on IOS versions other than 11.3? Any input will be
> > > appreciated, thanks.
> > >
> > > -Haydn
> > --
> > David Madland
> > Sr. Network Engineer
> > CCIE# 2016
> > Qwest Communications Int. Inc.
> > [EMAIL PROTECTED]
> > 612-664-3367
> >
> > "Emotion should reflect reason not guide it"
> >
> > _
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
>
> "Emotion should reflect reason not guide it"
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19929&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Denial of service attack prevention [7:19568]

[Brian Whalen]

Heres a good solaris security article, likey applicable to other nixes..

http://www.samag.com/articles/2000/0013/0013c/0013c.htm

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Thu, 13 Sep 2001, MADMAN wrote:

> I don't know what else on the router you could do but there are things
> you can do on your host but not being a sys admin I can't get into
> details.  Check this out:
>
> http://www.cisco.com/warp/public/707/4.html
>
>   Dave
>
> Haydn Solomon wrote:
> >
> > Actually I was asking what OTHER means than tcp intercept there was
> > because we don't have the version that supports it. Can you answer that?
> > I know that our version doesn't cause I checked with the "?" feature and
> > the option isn't there. In any case here is a copy of the sh ver.
> >
> > Cisco Internetwork Operating System Software
> > IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE
> > (fc1)
> > Copyright (c) 1986-2000 by cisco Systems, Inc.
> > Compiled Wed 27-Dec-00 13:54 by linda
> > Image text-base: 0x60010930, data-base: 0x60C46000
> >
> > ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE
> > SOFTWARE (fc1)
> > BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY
> > DEPLOYMENT RELEASE SOFTWARE (fc1)
> >
> > -- Haydn
> >
> > -Original Message-
> > From: MADMAN [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 12, 2001 11:05 AM
> > To: Haydn Solomon
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: Denial of service attack prevention [7:19568]
> >
> >   send a sh ver of your router, not all platforms support TCP Intercept.
> >
> >   Dave
> >
> > Haydn Solomon wrote:
> > >
> > > Hi all,
> > >
> > > I was recently reading an article on ciscos site about strategies for
> > > preventing denial of service attacks. They mentioned the ip intercept
> > > configuration feature for IOS version 11.3. However our routers are
> > > running version 12.0 and doesnt have that feature. Does anyone out
> > > there know what other effective strategies can be used to prevent this
> > > kind of attack on IOS versions other than 11.3? Any input will be
> > > appreciated, thanks.
> > >
> > > -Haydn
> > --
> > David Madland
> > Sr. Network Engineer
> > CCIE# 2016
> > Qwest Communications Int. Inc.
> > [EMAIL PROTECTED]
> > 612-664-3367
> >
> > "Emotion should reflect reason not guide it"
> >
> > _
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
>
> "Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19824&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Denial of service attack prevention [7:19568]

[MADMAN]

I don't know what else on the router you could do but there are things
you can do on your host but not being a sys admin I can't get into
details.  Check this out:

http://www.cisco.com/warp/public/707/4.html

  Dave

Haydn Solomon wrote:
> 
> Actually I was asking what OTHER means than tcp intercept there was
> because we don't have the version that supports it. Can you answer that?
> I know that our version doesn't cause I checked with the "?" feature and
> the option isn't there. In any case here is a copy of the sh ver.
> 
> Cisco Internetwork Operating System Software
> IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE
> (fc1)
> Copyright (c) 1986-2000 by cisco Systems, Inc.
> Compiled Wed 27-Dec-00 13:54 by linda
> Image text-base: 0x60010930, data-base: 0x60C46000
> 
> ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE
> SOFTWARE (fc1)
> BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY
> DEPLOYMENT RELEASE SOFTWARE (fc1)
> 
> -- Haydn
> 
> -Original Message-
> From: MADMAN [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 12, 2001 11:05 AM
> To: Haydn Solomon
> Cc: [EMAIL PROTECTED]
> Subject: Re: Denial of service attack prevention [7:19568]
> 
>   send a sh ver of your router, not all platforms support TCP Intercept.
> 
>   Dave
> 
> Haydn Solomon wrote:
> >
> > Hi all,
> >
> > I was recently reading an article on ciscos site about strategies for
> > preventing denial of service attacks. They mentioned the ip intercept
> > configuration feature for IOS version 11.3. However our routers are
> > running version 12.0 and doesnt have that feature. Does anyone out
> > there know what other effective strategies can be used to prevent this
> > kind of attack on IOS versions other than 11.3? Any input will be
> > appreciated, thanks.
> >
> > -Haydn
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
> 
> "Emotion should reflect reason not guide it"
> 
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19773&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Denial of service attack prevention [7:19568]

[Haydn Solomon]

Actually I was asking what OTHER means than tcp intercept there was
because we don't have the version that supports it. Can you answer that?
I know that our version doesn't cause I checked with the "?" feature and
the option isn't there. In any case here is a copy of the sh ver.


Cisco Internetwork Operating System Software 
IOS (tm) RSP Software (RSP-ISV-M), Version 12.0(15), RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 27-Dec-00 13:54 by linda
Image text-base: 0x60010930, data-base: 0x60C46000

ROM: System Bootstrap, Version 11.1(8)CA1, EARLY DEPLOYMENT RELEASE
SOFTWARE (fc1)
BOOTFLASH: GS Software (RSP-BOOT-M), Version 11.1(22)CA, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

-- Haydn


-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, September 12, 2001 11:05 AM
To: Haydn Solomon
Cc: [EMAIL PROTECTED]
Subject: Re: Denial of service attack prevention [7:19568]



  send a sh ver of your router, not all platforms support TCP Intercept.

  Dave

Haydn Solomon wrote:
> 
> Hi all,
> 
> I was recently reading an article on ciscos site about strategies for
> preventing denial of service attacks. They mentioned the ip intercept
> configuration feature for IOS version 11.3. However our routers are
> running version 12.0 and doesnt have that feature. Does anyone out
> there know what other effective strategies can be used to prevent this
> kind of attack on IOS versions other than 11.3? Any input will be
> appreciated, thanks.
> 
> -Haydn
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19719&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Denial of service attack prevention [7:19568]

[Brian]

Good way to limit syn floods, nice..

Bri

- Original Message -
From: "Kent Hundley" 
To: 
Sent: Wednesday, September 12, 2001 8:30 AM
Subject: RE: Denial of service attack prevention [7:19568]


> Go to http://www.cisco.com/go/fn and search for "TCP intercept".
>
> HTH,
> Kent
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Haydn Solomon
> Sent: Wednesday, September 12, 2001 7:01 AM
> To: [EMAIL PROTECTED]
> Subject: Denial of service attack prevention [7:19568]
>
>
> Hi all,
>
> I was recently reading an article on ciscos site about strategies for
> preventing denial of service attacks. They mentioned the ip intercept
> configuration feature for IOS version 11.3. However our routers are
> running version 12.0 and doesnt have that feature. Does anyone out
> there know what other effective strategies can be used to prevent this
> kind of attack on IOS versions other than 11.3? Any input will be
> appreciated, thanks.
>
> -Haydn




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19622&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Denial of service attack prevention [7:19568]

[Kent Hundley]

Go to http://www.cisco.com/go/fn and search for "TCP intercept".

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Haydn Solomon
Sent: Wednesday, September 12, 2001 7:01 AM
To: [EMAIL PROTECTED]
Subject: Denial of service attack prevention [7:19568]


Hi all,

I was recently reading an article on ciscos site about strategies for
preventing denial of service attacks. They mentioned the ip intercept
configuration feature for IOS version 11.3. However our routers are
running version 12.0 and doesnt have that feature. Does anyone out
there know what other effective strategies can be used to prevent this
kind of attack on IOS versions other than 11.3? Any input will be
appreciated, thanks.

-Haydn




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19601&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Denial of service attack prevention [7:19568]

[MADMAN]

send a sh ver of your router, not all platforms support TCP Intercept.

  Dave

Haydn Solomon wrote:
> 
> Hi all,
> 
> I was recently reading an article on ciscos site about strategies for
> preventing denial of service attacks. They mentioned the ip intercept
> configuration feature for IOS version 11.3. However our routers are
> running version 12.0 and doesnt have that feature. Does anyone out
> there know what other effective strategies can be used to prevent this
> kind of attack on IOS versions other than 11.3? Any input will be
> appreciated, thanks.
> 
> -Haydn
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19595&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Denial of service attack prevention [7:19568]

[Haydn Solomon]

Hi all,

I was recently reading an article on ciscos site about strategies for
preventing denial of service attacks. They mentioned the ip intercept
configuration feature for IOS version 11.3. However our routers are
running version 12.0 and doesnt have that feature. Does anyone out
there know what other effective strategies can be used to prevent this
kind of attack on IOS versions other than 11.3? Any input will be
appreciated, thanks.

-Haydn




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19568&t=19568
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

AT&T Telco response to the terrorist attack [7:19466]

[Hennen, David]

Regarding this terrible tragedy, this message from AT&T was circulated to
the network staff at my company.  I thought it might be of interest to the
group

dave h

Subject: AT&T Code YELLOWURGENT!!


All AT&T provisioning and cutovers are cancelled.

AT&T has moved to code YELLOW.

2.07 Condition YELLOW: can be implemented when the Government's emergency
action procedures have been placed in a "readiness" posture. This alert will
be used when a military or political situation deteriorates.  It envisions a
period of indefinite length and scope.
 A. All CONDITION GRAY restrictions invoked by the NOC shall be 
>  followed.  In addition to those precautions, the following
>  security measures should be observed as well as any measures
>  the NOC may add.
> 
>   B. All critical locations require 7X24 guard and Network
>  Operations coverage.  This includes 7X24 security guards
>  stationed outside of all critical building entry points.
> 
>   C. All major facility locations (more than 250 T3s) and all 
>  international cable landings, to have either 7X24 guard
>  coverage or 7X24 Network Operations coverage.
> 
>   D. All other locations should have coverage not less than which 
>  is considered "normal".
> 
>   E. The Network Operations Center (NOC), the Regional Network 
>  Operations Centers (RNOCs), the Network Control Centers
>  (NCCs) and the National Electronic System Assistance Centers
>  (NESACs) will have 7X24 coverage.
> 
>   F. For locations with dedicated Government services, e.g. FTS-
>  2000, DCTN, etc., ensure that the coverage meets at least
>  minimum required coverage.
>  
>   G. Consideration shall be given to increasing the frequency of 
>  patrols to once each 12 hours to cover critical locations,
>  if consistent with the safety of the personnel.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19466&t=19466
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX static command and em_limit - SYN attack [7:17994]

[Allen May]

I put 4 for max_conns and 100 for emb_limit.  I haven't got any hard
evidence that this is the best way for a webserver, but it works ;)

emb_limit just limits how many connections are held that have not completed
the TCP 3-way handshake, thereby stopping SYN attacks from reaching the
server.  Once emb_limit is reached, subsequent attempts are dropped until
timeout is reached on other held connections.  Subsequent connections from
that source IP will be dropped to keep it from keeping emb_limit full.
Otherwise you'd have a DOS of your own making just from setting this value.
If you wanted to truly set this at realistic values you would have to do
some testing to see what normal embryonic connection values you have during
peak hours under normal circumstances.  Just my way of thinking, but I'd add
about 50% - 200% to that value just in case you get a sudden influx of
legitimate users trying to access the server.  Keep an eye on log files for
the server (assuming it's a web server and you log this information).  In
IIS and Apache it will tell you how many users dropped connection, gave up
before it loaded, etc if you have a log file analyzer (I use ANALOG - it's
free).  Obviously setting this too low could make end users fairly angry.
;)

Again, IMHO, Max_conns should be set to whatever you believe the max # of
simultaneous users your server can handle.  The only way to get a true
feeling for what this is would be to download some software to test the
limits of your server.  I know there are some free ones out there but I
haven't used any myself.  Web development took care of that for me. ;)

Sooo...umm...I guess you could say there really isn't an answer that applies
to everyone.  Obviously someone like yahoo.com would have much higher
numbers on both settings compared to Joe Blow's web page on raising
hampsters.

Did I help?  Confuse?  Either way I accomplished something on only 1 cup of
coffee ;)  (by the way, that's a disclaimer for any inadvertant idiotic
comments made above).  The opinions of my fingers and tired brain are not
necessarily my own.

Allen
- Original Message -
From: "Bill Carter" 
To: 
Sent: Thursday, August 30, 2001 7:53 PM
Subject: PIX static command and em_limit - SYN attack [7:17994]


> I am installing a PIX.  In the static commands the last switch is for the
> limit on embryonic connects.
>
> static (DMZ,outside) X.X.X.15 192.168.1.13 netmask 255.255.255.255 0 0

> Every sample configuration I have seen leaves this value at 0.  I hate to
> bring logic into this but, logic tells me that I would want to put a limit
> on embryonic sessions to protect against SYN attacks.  What is a
reasonable
> limit to put on this balancing security and availability?  20, 100, 500?
>
> What value do you use in real world implementations???
>
>
> >From CCO: watch the wrap.
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
> mands.htm#xtocid1006867
>
> The embryonic connection limit. An embryonic connection is one that has
> started but not yet completed. Set this limit to prevent attack by a flood
> of embryonic connections. The default is 0, which means unlimited
> connections
>
>
> ^-^-^-^-^-^-^-^-^-^-^
> Bill Carter
> CCIE 5022
> ^-^-^-^-^-^-^-^-^-^-^




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=18104&t=17994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX static command and em_limit - SYN attack [7:17994]

[Bill Carter]

I am installing a PIX.  In the static commands the last switch is for the
limit on embryonic connects.

static (DMZ,outside) X.X.X.15 192.168.1.13 netmask 255.255.255.255 0 0 <---

Every sample configuration I have seen leaves this value at 0.  I hate to
bring logic into this but, logic tells me that I would want to put a limit
on embryonic sessions to protect against SYN attacks.  What is a reasonable
limit to put on this balancing security and availability?  20, 100, 500?

What value do you use in real world implementations???


>From CCO: watch the wrap.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/config/com
mands.htm#xtocid1006867

The embryonic connection limit. An embryonic connection is one that has
started but not yet completed. Set this limit to prevent attack by a flood
of embryonic connections. The default is 0, which means unlimited
connections


^-^-^-^-^-^-^-^-^-^-^
Bill Carter
CCIE 5022
^-^-^-^-^-^-^-^-^-^-^




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17994&t=17994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Unable to detect source for attack [7:17095]

[suaveguru]

thank you 

You have been very helpful

regards,
suaveguru
--- Tony Medeiros  wrote:
> With all due respect Farhan,  If he uses "debug ip
> packet detail" on a
> production router,  he WON'T be haveing a very nice
> day.  Good way to crash
> the router.
> 
> A better way is setup flow cache.
> 
> (config-if) ip route-cache flow
> # show ip cache flow
> 
> This will show you source and dest. pair,  and the
> ports you looking for.
> Tony M.
> (Can't sleep)
> 
> - Original Message -
> From: "Farhan Ahmed" 
> To: 
> Sent: Friday, August 24, 2001 11:12 PM
> Subject: RE: Unable to detect source for attack
> [7:17095]
> 
> 
> > command
> >
> > debug ip packet detail
> >
> > Best Regards
> >
> > Have A Good Day!!
> >
> > ***
> > Farhan Ahmed*
> >   MCSE+I, MCP Win2k, CCDA, CCNA, CSE
> > Network Engineer
> > Mideast Data Systems Abudhabi Uae.
> >
> > ***
> >
> >
> >
> > Privileged/Confidential Information may be
> contained in this message or
> > Attachments hereto.  Please advise immediately if
> you or your employer do
> > not consent to Internet email for messages of this
> kind.  Opinions,
> > Conclusions and other information in this message
> that do not relate to
> the
> > Official business of this company shall be
> understood as neither given nor
> > Endorsed by it.
> >
> >
> > > -Original Message-
> > > From: suaveguru [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, August 24, 2001 9:54 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Unable to detect source for attack
> [7:17095]
> > >
> > >
> > > hi all,
> > >
> > > I am not able to detect the type of an ip attack
> on an
> > > interface . All I can detect is the source and
> > > destination ip addresees using ip accounting but
> I
> > > could not block the ip addresses because they
> are all
> > > in use . All I can do is to find out what kind
> of
> > > traffic is causing the attack for e.g. tcp, udp
> , sync
> > > etc. but what tools could I use?
> > >
> > >
> > > regards,
> > > suaveguru
> > >
> > >
> __
> > > Do You Yahoo!?
> > > Make international calls for as low as
> $.04/minute with
> > > Yahoo! Messenger
> > > http://phonecard.yahoo.com/
> >
> > [GroupStudy.com removed an attachment of type
> application/octet-stream
> which
> > had a name of Farhan Ahmed.vcf]
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17311&t=17095
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Unable to detect source for attack [7:17095]

[Tony Medeiros]

With all due respect Farhan,  If he uses "debug ip packet detail" on a
production router,  he WON'T be haveing a very nice day.  Good way to crash
the router.

A better way is setup flow cache.

(config-if) ip route-cache flow
# show ip cache flow

This will show you source and dest. pair,  and the ports you looking for.
Tony M.
(Can't sleep)

- Original Message -
From: "Farhan Ahmed" 
To: 
Sent: Friday, August 24, 2001 11:12 PM
Subject: RE: Unable to detect source for attack [7:17095]


> command
>
> debug ip packet detail
>
> Best Regards
>
> Have A Good Day!!
>
> ***
> Farhan Ahmed*
>   MCSE+I, MCP Win2k, CCDA, CCNA, CSE
> Network Engineer
> Mideast Data Systems Abudhabi Uae.
>
> ***
>
>
>
> Privileged/Confidential Information may be contained in this message or
> Attachments hereto.  Please advise immediately if you or your employer do
> not consent to Internet email for messages of this kind.  Opinions,
> Conclusions and other information in this message that do not relate to
the
> Official business of this company shall be understood as neither given nor
> Endorsed by it.
>
>
> > -Original Message-
> > From: suaveguru [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, August 24, 2001 9:54 AM
> > To: [EMAIL PROTECTED]
> > Subject: Unable to detect source for attack [7:17095]
> >
> >
> > hi all,
> >
> > I am not able to detect the type of an ip attack on an
> > interface . All I can detect is the source and
> > destination ip addresees using ip accounting but I
> > could not block the ip addresses because they are all
> > in use . All I can do is to find out what kind of
> > traffic is causing the attack for e.g. tcp, udp , sync
> > etc. but what tools could I use?
> >
> >
> > regards,
> > suaveguru
> >
> > __
> > Do You Yahoo!?
> > Make international calls for as low as $.04/minute with
> > Yahoo! Messenger
> > http://phonecard.yahoo.com/
>
> [GroupStudy.com removed an attachment of type application/octet-stream
which
> had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17232&t=17095
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Unable to detect source for attack [7:17095]

[Farhan Ahmed]

command

debug ip packet detail

Best Regards

Have A Good Day!!

***
Farhan Ahmed*
  MCSE+I, MCP Win2k, CCDA, CCNA, CSE
Network Engineer
Mideast Data Systems Abudhabi Uae.

***



Privileged/Confidential Information may be contained in this message or
Attachments hereto.  Please advise immediately if you or your employer do
not consent to Internet email for messages of this kind.  Opinions,
Conclusions and other information in this message that do not relate to the
Official business of this company shall be understood as neither given nor
Endorsed by it.


> -Original Message-
> From: suaveguru [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 24, 2001 9:54 AM
> To: [EMAIL PROTECTED]
> Subject: Unable to detect source for attack [7:17095]
> 
> 
> hi all,
> 
> I am not able to detect the type of an ip attack on an
> interface . All I can detect is the source and
> destination ip addresees using ip accounting but I
> could not block the ip addresses because they are all
> in use . All I can do is to find out what kind of
> traffic is causing the attack for e.g. tcp, udp , sync
> etc. but what tools could I use?
> 
> 
> regards,
> suaveguru
> 
> __
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with 
> Yahoo! Messenger
> http://phonecard.yahoo.com/

[GroupStudy.com removed an attachment of type application/octet-stream which
had a name of Farhan Ahmed.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17228&t=17095
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Unable to detect source for attack [7:17095]

[suaveguru]

hi all,

I am not able to detect the type of an ip attack on an
interface . All I can detect is the source and
destination ip addresees using ip accounting but I
could not block the ip addresses because they are all
in use . All I can do is to find out what kind of
traffic is causing the attack for e.g. tcp, udp , sync
etc. but what tools could I use?


regards,
suaveguru

__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17095&t=17095
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: tools for detecting DOS attack other than ip accounting [7:16211]

[dre]

(assuming access-lists are configured, a simple permit any any works for
this even, but specific networks or higher layer traffic you want to match
works better)
show access-lists (look at the number of matches increasing)
show interface (look at load x/255, 30 second input rate x bits/sec, x
packets/sec)
show interface stats
show interface switching
show interface accounting
(assuming you have netflow configured)
show ip cache flow

You could use about a billion other things to detect DoS attacks (even with
Cisco routers).

You might be able to get some of the information above via SNMP.
You could graph it with mrtg/rrdtool/cricket/flowscan (caida) or even
commercial tools like CiscoWorks IPM,
HPOV NNM, Concord eHealth, and about a billion other tools.

It is generally recommended that you capture all traffic with a sniffer, if
at all possible.
There are a few free tools and commercial products in this category, as
well, popular
ones include tcpdump, snoop, ethereal, and SnifferPro.

I think that NetFlow is a good way to detect DoS attacks, especially if you
graph it.  Because NetFlow (or
sFlow, or NeTraMet, etc and also probably RMON and IP accounting) gets a lot
of the packet sizes,
protocol distributions, prefix and interface traffic statistics for src/dst
pairs (aka flow), etc etc... it is really
obvious right away what type of attack you are getting, etc.  However,
sometimes it's not perfect, so having
a complete dump of the traffic on your network via a sniffer is really
ideal.  Working with sniffer data and
graphing it in real time is more complex than using NetFlow or similar
technology, but that's really up to you
to decide what you want to do.

Matches on access-lists seems to be a very popular way of dealing with
detecting if a DoS attack occurred
(but this is generally after the fact).

Having a good combination of all of the above wouldn't hurt either.  It
really depends on the problem you are
trying to solve and the resources you know / have available / etc.  Are you
trying to detect DoS attacks real-
time?  Are you trying to track down who is sending the packets to you?  Are
you trying to identify the attacks
so you can come up with ways to prevent them?

Most important would be a written policy and procedure for dealing with DoS
attacks coming into and outside
of your network.  Then, spec out the technology to fit your requirements.

Good luck.

-dre

""suaveguru""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> hi all
>
> anyone knows if there are any tools to detect DOS
> attack on network other than turning on ip accounting
> at the routers because ip accounting utilises very
> much CPU resources on the router
>
> any inputs will be greatly appreciated
>
> regards
>
> suaveguru
>
> __
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16211&t=16211
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: tools for detecting DOS attack other than ip accounting [7:16156]

[Kevin Welch]

Well,  I would recommend using an IDS and a span port on a switch.  Snort
(http://www.snort.org) is an opensource Intrusion detection system that
ties into tools like syslog and swatch and can accurately report Intrusion
and Denial of Service attempts allowing you then decide how to respond.
These tools would generally rely on a unix system attached to a switch span
port on the lan side of your router.

-- Kevin

> hi all
>
> anyone knows if there are any tools to detect DOS
> attack on network other than turning on ip accounting
> at the routers because ip accounting utilises very
> much CPU resources on the router
>
> any inputs will be greatly appreciated
>
> regards
>
> suaveguru
>
> __
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo!
> Messenger http://phonecard.yahoo.com/
> Nondisclosure violations to [EMAIL PROTECTED]


http://www.siliconsamurai.net

-
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16156&t=16156
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

tools for detecting DOS attack other than ip accounting [7:16139]

[suaveguru]

hi all

anyone knows if there are any tools to detect DOS
attack on network other than turning on ip accounting
at the routers because ip accounting utilises very
much CPU resources on the router

any inputs will be greatly appreciated

regards

suaveguru

__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16139&t=16139
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CBAC and DOS attack [7:9748]

[Dana J. Dawson]

For me, the best analogy for CBAC is that it's like a really smart
"established" keyword in access-lists.  You still apply your access-list in
the inbound direction, and it's still the access-list that blocks traffic,
but the CBAC inspection commands make the access-list smart.  In order for
the access-list to "know" what to let in, the router has to pay attention
(i.e. "inspect") the outgoing traffic.  So, you inspect your outbound
traffic so that your access-lists can let the appropriate return traffic
back in.

That being said, the CBAC feature also does some sanity checking on packets
and can drop packets that it thinks are illegal even if no access-lists are
configured in the router.  You'll almost never encounter this, but it's
handy to know about.

HTH

Dana


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=10204&t=9748
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CBAC and DOS attack [7:9748]

[Circusnuts]

Have you seen the latest Cisco Security book ???  It's a little more clearer
than what I have been able to find on the CCO, dealing with the Firewall IOS
(explains all the nuances & features of these access-lists).  Have you tried
ConfigMaker when setting the default values for the reflexive access lists &
the inspects ?  If this were say a Internet connection(cable modem in my
case) you want to inspect on the facing out interface, but apply the rule
for the incoming.

Did I come close to answering the question ???
Phil

- Original Message -
From: "Vyacheslav Luschinsky" 
To: 
Sent: Monday, June 25, 2001 9:01 AM
Subject: CBAC and DOS attack [7:9748]


> I have some trouble in understanding how to use firewall set(CBAC) to
limit
> half open inbound sessions from Internet.
> First you have to identify traffic
>
> ip inspect name myname tcp
>
> then you have to put it on interface.
> cisco examples show only one situation when you need to allow sessions
from
> your local LAN. So it is not clear should I apply inspecting to inbound
> traffic on serial int. or outbound for ethernet int.
> Did anyone deal whis it?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9777&t=9748
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CBAC and DOS attack [7:9748]

[Vyacheslav Luschinsky]

I have some trouble in understanding how to use firewall set(CBAC) to limit
half open inbound sessions from Internet.
First you have to identify traffic

ip inspect name myname tcp

then you have to put it on interface.
cisco examples show only one situation when you need to allow sessions from
your local LAN. So it is not clear should I apply inspecting to inbound
traffic on serial int. or outbound for ethernet int.
Did anyone deal whis it?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9748&t=9748
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dos Attack [7:7049]

[Andy Low]

Hi Kent,

Do you know about netflow switching, must I enable that?

Andy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 08, 2001 1:05 AM
To: [EMAIL PROTECTED]; Andy Low
Subject: RE: Dos Attack [7:7049]


In my experience, no.  I've turned on IP accounting on routers doing 
hundreds of megabits of traffic with no noticable effects.  Course, 
there are always the potential for bugs/instabilities in the code, but 
barring this I think you should be fine.  

Just watch the CPU via "sh proc cpu" before and immediately after 
turning on IP accounting. If you start seeing the CPU spike very 
high you can always disable the accounting.  

HTH,
Kent

On 6 Jun 2001, at 0:20, Andy Low wrote:

> Hi Kent,
> 
> Will IP accounting halt the router given 50Mbps of traffic passing
> through?
> 
> regards,
> 
> andy
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To:
> [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049]
> 
> 
> Andy,
> 
> 1) Enable IP accounting on the router interface "closest" to the
> traffic in question.  Watch the output of "sh ip account" and you
> should be able to tell fairly quickly what the originating IP address
> is of the offending station
> 
> 2) Now you have the IP, you know which segment the station is on, look
> at the local router's arp table to determine the MAC address
> 
> 3) Look at the switch(s) to find the port the MAC is on and then
> trace to the physical station and investigate
> 
> Regards,
> Kent
> 
> On 4 Jun 2001, at 8:03, Andy Low wrote:
> 
> > Hi,
> >
> > If there is a machine within my network generating high load of
> > traffic, how can I detect the machine asap?
> >
> > I have cisco 7507 routers and catalyst 5509 switches. Which command
> > should I use to check? On the catalyst switch which command can I
> > use to find out port the machine is plugged to?
> >
> > Thanks
> >
> > Andy
> > Nondisclosure violations to [EMAIL PROTECTED]
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7682&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: grc.com under a DOS attack [7:7377]

[Logan, Harold]

Idunno about Priscilla and her DOS attacks... I seem to remember
routergod.com taking an awful long time to load once her interview with
Fabio was uploaded. Hrrrmmm...

-Original Message- 
From: ElephantChild 
Sent: Thu 6/7/2001 5:20 AM 
To: Logan, Harold 
Cc: [EMAIL PROTECTED] 
Subject: Re: grc.com under a DOS attack [7:7377]



On Wed, 6 Jun 2001, Logan, Harold wrote:

> Hrmm... I don't know how much bandwidth the good people at grc
have from
> their ISP, but considering the number of people that have been
referred
> to the site from this list, and considering that the site is
unavailable
> right now, I'd say it looks like Priscilla just engineered a
DOS attack
> on the poor people at grc.com. Poor guys. Maybe I'll get to
read the
> article after the entire networking community gets done
reading it.
>
> =)

That wouldn't be the first time, I think. That a DOS attack
occurs
inadvertently, I mean.  not that our resident Priscilla
engineers one.
Look up "slashdot effect" in the Jargon File.

--
"Someone approached me and asked me to teach a javascript
course. I was
about to decline, saying that my complete ignorance of the
subject made
me unsuitable, then I thought again, that maybe it doesn't, as
driving
people away from it is a desirable outcome." --Me

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7537&t=7377
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dos Attack [7:7049]

[[EMAIL PROTECTED]]

In my experience, no.  I've turned on IP accounting on routers doing 
hundreds of megabits of traffic with no noticable effects.  Course, 
there are always the potential for bugs/instabilities in the code, but 
barring this I think you should be fine.  

Just watch the CPU via "sh proc cpu" before and immediately after 
turning on IP accounting. If you start seeing the CPU spike very 
high you can always disable the accounting.  

HTH,
Kent

On 6 Jun 2001, at 0:20, Andy Low wrote:

> Hi Kent,
> 
> Will IP accounting halt the router given 50Mbps of traffic passing
> through?
> 
> regards,
> 
> andy
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED] Sent: Wednesday, June 06, 2001 5:24 AM To:
> [EMAIL PROTECTED] Subject: Re: Dos Attack [7:7049]
> 
> 
> Andy,
> 
> 1) Enable IP accounting on the router interface "closest" to the
> traffic in question.  Watch the output of "sh ip account" and you
> should be able to tell fairly quickly what the originating IP address
> is of the offending station
> 
> 2) Now you have the IP, you know which segment the station is on, look
> at the local router's arp table to determine the MAC address
> 
> 3) Look at the switch(s) to find the port the MAC is on and then
> trace to the physical station and investigate
> 
> Regards,
> Kent
> 
> On 4 Jun 2001, at 8:03, Andy Low wrote:
> 
> > Hi,
> >
> > If there is a machine within my network generating high load of
> > traffic, how can I detect the machine asap?
> >
> > I have cisco 7507 routers and catalyst 5509 switches. Which command
> > should I use to check? On the catalyst switch which command can I
> > use to find out port the machine is plugged to?
> >
> > Thanks
> >
> > Andy
> > Nondisclosure violations to [EMAIL PROTECTED]
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7524&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: grc.com under a DOS attack [7:7377]

[ElephantChild]

On Wed, 6 Jun 2001, Logan, Harold wrote:

> Hrmm... I don't know how much bandwidth the good people at grc have from
> their ISP, but considering the number of people that have been referred
> to the site from this list, and considering that the site is unavailable
> right now, I'd say it looks like Priscilla just engineered a DOS attack
> on the poor people at grc.com. Poor guys. Maybe I'll get to read the
> article after the entire networking community gets done reading it.
> 
> =)

That wouldn't be the first time, I think. That a DOS attack occurs
inadvertently, I mean.  not that our resident Priscilla engineers one. 
Look up "slashdot effect" in the Jargon File.

-- 
"Someone approached me and asked me to teach a javascript course. I was
about to decline, saying that my complete ignorance of the subject made
me unsuitable, then I thought again, that maybe it doesn't, as driving
people away from it is a desirable outcome." --Me




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7500&t=7377
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: grc.com under a DOS attack [7:7377]

[Daniel Cotts]

They have two T-1s. The article was just headlined by the latest SANS.org
newsletter. Imagine that they are getting quite a few hits.

> -Original Message-
> From: Logan, Harold [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 06, 2001 1:06 PM
> To: [EMAIL PROTECTED]
> Subject: grc.com under a DOS attack [7:7377]
> 
> 
> Hrmm... I don't know how much bandwidth the good people at 
> grc have from
> their ISP, but considering the number of people that have 
> been referred
> to the site from this list, and considering that the site is 
> unavailable
> right now, I'd say it looks like Priscilla just engineered a 
> DOS attack
> on the poor people at grc.com. Poor guys. Maybe I'll get to read the
> article after the entire networking community gets done reading it.
> 
> =)
> 
> Date: Tue, 5 Jun 2001 23:55:49 -0400
> From: "Jennifer Cribbs" 
> Subject: Re: Interesting DOS article [7:7272]
> 
> That was a very interesting article.   I knew things like 
> that went on,
> but
> have never had a person experience of such.
> I liked the detail that was gone into about the solution.  I am
> forwarding
> the link to friends.
> 
> Jennifer Cribbs
> 
> 6/5/2001 9:52:31 PM, "Natasha"  wrote:
> 
> >Somewhat a long read but very enlightening.
> >The article on Windows XP was just as scary.
> >Thank you so much Priscilla, I'm going to pass your find on to some
> >other network folks that could use it.
> >
> >
> >>Priscilla Oppenheimer wrote:
> >>
> >> http://grc.com/dos/grcdos.htm  
> >>
> >> Priscilla
> >>
> >> 
> >>
> >> Priscilla Oppenheimer
> >> http://www.priscilla.com  
> >--
> >Natasha Flazynski
> >CCNA, MCSE
> > http://www.ciscobot.com  
> >My Cisco information site.
> > http://www.botbuilders.com  
> >Artificial Intelligence and Linux development
> >
> Have a great day!!
> Jennifer
> 
> [GroupStudy.com removed an attachment of type 
> application/ms-tnef which had
> a name of winmail.dat]
> Report misconduct 
> and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7394&t=7377
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: grc.com under a DOS attack [7:7377]

[LeBrun, Tim]

An article about GRC.com was also in the SANS newsletter.

Tim LeBrun
CCNA, CCDA


-Original Message-
From: Logan, Harold [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 06, 2001 2:06 PM
To: [EMAIL PROTECTED]
Subject: grc.com under a DOS attack [7:7377]


Hrmm... I don't know how much bandwidth the good people at grc have from
their ISP, but considering the number of people that have been referred
to the site from this list, and considering that the site is unavailable
right now, I'd say it looks like Priscilla just engineered a DOS attack
on the poor people at grc.com. Poor guys. Maybe I'll get to read the
article after the entire networking community gets done reading it.

=)

Date: Tue, 5 Jun 2001 23:55:49 -0400
From: "Jennifer Cribbs" 
Subject: Re: Interesting DOS article [7:7272]

That was a very interesting article.   I knew things like that went on,
but
have never had a person experience of such.
I liked the detail that was gone into about the solution.  I am
forwarding
the link to friends.

Jennifer Cribbs

6/5/2001 9:52:31 PM, "Natasha"  wrote:

>Somewhat a long read but very enlightening.
>The article on Windows XP was just as scary.
>Thank you so much Priscilla, I'm going to pass your find on to some
>other network folks that could use it.
>
>
>>Priscilla Oppenheimer wrote:
>>
>> http://grc.com/dos/grcdos.htm  
>>
>> Priscilla
>>
>> 
>>
>> Priscilla Oppenheimer
>> http://www.priscilla.com  
>--
>Natasha Flazynski
>CCNA, MCSE
> http://www.ciscobot.com  
>My Cisco information site.
> http://www.botbuilders.com  
>Artificial Intelligence and Linux development
>
Have a great day!!
Jennifer

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7393&t=7377
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

grc.com under a DOS attack [7:7377]

[Logan, Harold]

Hrmm... I don't know how much bandwidth the good people at grc have from
their ISP, but considering the number of people that have been referred
to the site from this list, and considering that the site is unavailable
right now, I'd say it looks like Priscilla just engineered a DOS attack
on the poor people at grc.com. Poor guys. Maybe I'll get to read the
article after the entire networking community gets done reading it.

=)

Date: Tue, 5 Jun 2001 23:55:49 -0400
From: "Jennifer Cribbs" 
Subject: Re: Interesting DOS article [7:7272]

That was a very interesting article.   I knew things like that went on,
but
have never had a person experience of such.
I liked the detail that was gone into about the solution.  I am
forwarding
the link to friends.

Jennifer Cribbs

6/5/2001 9:52:31 PM, "Natasha"  wrote:

>Somewhat a long read but very enlightening.
>The article on Windows XP was just as scary.
>Thank you so much Priscilla, I'm going to pass your find on to some
>other network folks that could use it.
>
>
>>Priscilla Oppenheimer wrote:
>>
>> http://grc.com/dos/grcdos.htm  
>>
>> Priscilla
>>
>> 
>>
>> Priscilla Oppenheimer
>> http://www.priscilla.com  
>--
>Natasha Flazynski
>CCNA, MCSE
> http://www.ciscobot.com  
>My Cisco information site.
> http://www.botbuilders.com  
>Artificial Intelligence and Linux development
>
Have a great day!!
Jennifer

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7377&t=7377
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dos Attack [7:7049]

[Andy Low]

Hi Kent,

Will IP accounting halt the router given 50Mbps of traffic passing through?

regards,

andy

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, June 06, 2001 5:24 AM
To: [EMAIL PROTECTED]
Subject: Re: Dos Attack [7:7049]


Andy,

1) Enable IP accounting on the router interface "closest" to the
traffic in question.  Watch the output of "sh ip account" and you
should be able to tell fairly quickly what the originating IP address
is of the offending station

2) Now you have the IP, you know which segment the station is on,
look at the local router's arp table to determine the MAC address

3) Look at the switch(s) to find the port the MAC is on and then
trace to the physical station and investigate

Regards,
Kent

On 4 Jun 2001, at 8:03, Andy Low wrote:

> Hi,
>
> If there is a machine within my network generating high load of
> traffic, how can I detect the machine asap?
>
> I have cisco 7507 routers and catalyst 5509 switches. Which command
> should I use to check? On the catalyst switch which command can I use
> to find out port the machine is plugged to?
>
> Thanks
>
> Andy
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7296&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Dos Attack [7:7049]

[[EMAIL PROTECTED]]

Andy,

1) Enable IP accounting on the router interface "closest" to the 
traffic in question.  Watch the output of "sh ip account" and you 
should be able to tell fairly quickly what the originating IP address 
is of the offending station

2) Now you have the IP, you know which segment the station is on, 
look at the local router's arp table to determine the MAC address

3) Look at the switch(s) to find the port the MAC is on and then 
trace to the physical station and investigate

Regards,
Kent

On 4 Jun 2001, at 8:03, Andy Low wrote:

> Hi,
> 
> If there is a machine within my network generating high load of
> traffic, how can I detect the machine asap?
> 
> I have cisco 7507 routers and catalyst 5509 switches. Which command
> should I use to check? On the catalyst switch which command can I use
> to find out port the machine is plugged to?
> 
> Thanks
> 
> Andy
> Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7233&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Dos Attack [7:7049]

[Michael L. Williams]

Don't know of anyway to tell within the router/switch unless you check the
traffic statistics on every single port..

I would love to know of a good way with just the router and switch to do
just this...

I've always has Sniffer Pro available, and it'll pinpoint your biggest
"talkers" in which case you know the MAC address and can check the CAM on
the switch to see which port it's connected to.

Mike W.

"Andy Low"  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
>
> If there is a machine within my network generating high load of traffic,
how
> can I detect the machine asap?
>
> I have cisco 7507 routers and catalyst 5509 switches. Which command should
I
> use to check? On the catalyst switch which command can I use to find out
> port the machine is plugged to?
>
> Thanks
>
> Andy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7185&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Dos Attack [7:7049]

[Moh'd, Quayoom]

Hi Andy 
Try this command on catalyst 5509
"show top" It gives the top stations report.
> -Original Message-
> From: Andy Low [SMTP:[EMAIL PROTECTED]]
> Sent: Mon, June 04, 2001 3:03 PM
> To:   [EMAIL PROTECTED]
> Subject:  Dos Attack [7:7049]
> 
> Hi,
> 
> If there is a machine within my network generating high load of traffic,
> how
> can I detect the machine asap?
> 
> I have cisco 7507 routers and catalyst 5509 switches. Which command should
> I
> use to check? On the catalyst switch which command can I use to find out
> port the machine is plugged to?
> 
> Thanks
> 
> Andy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7051&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Dos Attack [7:7049]

[Andy Low]

Hi,

If there is a machine within my network generating high load of traffic, how
can I detect the machine asap?

I have cisco 7507 routers and catalyst 5509 switches. Which command should I
use to check? On the catalyst switch which command can I use to find out
port the machine is plugged to?

Thanks

Andy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7049&t=7049
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]