Date: Mon, 06 Jan 2003 11:16:35 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: soralx@cydem.zp.ua Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: DDoS attacks, packets captured ... not sure what to do. Message-ID: <3E19D613.84622ADE@mindspring.com> References: <20030105145150.N80512-100000@mail.econolodgetulsa.com> <200301052332.59925.soralx@cydem.zp.ua> <3E192770.43B3D489@mindspring.com> <200301060021.39502.soralx@cydem.zp.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
soralx@cydem.zp.ua wrote: > I doubt that all the packets are sent from one real IP. But, I tnink, > it may be possible to determine the IP of an attacker, because it's > not just a DoS attack. He may use other methods later. I am almost > sure he tried to scan ports earlier, probably with `nmap -v -O` to > determine the OS, and now he knows what packets to send. Knowing his IP address is useless, if it's a denial of service, unless you have a peering agreement with his NSP/ISP, and/or are within driving distance, and own a shotgun. > BTW, what were the UDP packets for? Scanning? I don't know. You didn't characterize them well enough for anyone to make a guess. If they were all frags, with one frag missing, then they were an intentional denial of service on your UDP packet reassembly buffer, which is relatively sucky in FreeBSD. Otherwise, they might have been a Linux NFS over UDP client (same thing, really), or some other attack (e.g. attempted DNS poisoning, etc.). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E19D613.84622ADE>