Re: Packet from port 80 with spoofed microsoft.com ip

Hi Hulio,
Thanks for your response and help both on and off list. I have been able to link the DDoS packet to MSDN. Apprantly it is back scatter from some sort of p2p worm/hydra. Back scatter happens when kiddiez on the mIRC want 2 take over channels and they send the packets with the spoofed IP using some toolz like on www.rootshell.com or underground.org.

At the moment the DDoS only affects windows/MSDN on intel, the solaris MSDN/sql server isn't affected, but apprantly a port is in the workz by some guys from #sage-au (./hack chanl) on oz.org. I got some packets in the IDS for the sparcs here last night, but SUN says they won't have a patch yet till they fix some bugs.

I belive you can detect the attack with tcpdump or snoop, but u have 2 be carefull cos the tpm/sage-au guys have a thing 2 make it crash and open other ports which could futher open u 2 DDoS attacks of this nature.

Thanks Again.

Alvin.
Senior Network/Security Engineer.
:: D i V E R S E - I N T E R N E T ::

   "Diverse - The future is now"

Hulio Cortez ruxed some lyrix like:
>
> Hello there Alvin,
t
> ? Is this only
r
> oblems with lots
i
> me!!! I am sure

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com