Not exactly on topic, but since ZKS is frequently under discussion here, I thought some of you might be interested... -- Yours, J.A. Terranson sysadmin@mfn.org ---------- Forwarded message ---------- Date: Fri, 30 Mar 2001 14:04:55 -0500 From: Sebastien Berube <sberube@ZEROKNOWLEDGE.COM> To: INCIDENTS@SECURITYFOCUS.COM Subject: [INCIDENTS] smtp DDoS just stopped. I would just like to inform everybody our organisation just went under a heavy smtp DoS. The symptoms where thousands of connections established from at first the same source to the smtp port of one of our MX. Once we've started blocking this particular IP address, the connections started comming from a different address. And so on for about 3 hours. I had to write a quick and dirty connection tracker to determine if each source IP had more than 15 connections. If it did, I'd block them. What we where able to deterimne is that every host that was used to DoS us where Windows based machines. All of these hosts where running IIS4 or IIS5. We also where able to notice that the hosts used for the attack where being used in alphabetical order of their domain name as we blocked them. Regards. -- Sebastien Berube Unix Systems Administrator sberube@zeroknowledge.com