[INCIDENTS] smtp DDoS just stopped. (fwd)

J.A. Terranson measl at mfn.org
Sat Mar 31 14:40:19 PST 2001



Not exactly on topic, but since ZKS is frequently under discussion here, I
thought some of you might be interested...

-- 
Yours, 
J.A. Terranson
sysadmin at mfn.org

---------- Forwarded message ----------
Date: Fri, 30 Mar 2001 14:04:55 -0500
From: Sebastien Berube <sberube at ZEROKNOWLEDGE.COM>
To: INCIDENTS at SECURITYFOCUS.COM
Subject: [INCIDENTS] smtp DDoS just stopped.

I would just like to inform everybody our organisation just went under a
heavy smtp DoS.  The symptoms where thousands of connections established
from at first the same source to the smtp port of one of our MX.  Once
we've started blocking this particular IP address, the connections started
comming from a different address.  And so on for about 3 hours.  I had to
write a quick and dirty connection tracker to determine if each source IP
had more than 15 connections.  If it did, I'd block them.

What we where able to deterimne is that every host that was used to DoS us
where Windows based machines.  All of these hosts where running IIS4 or
IIS5.  We also where able to notice that the hosts used for the attack
where being used in alphabetical order of their domain name as we blocked
them.

Regards.

--
Sebastien Berube
Unix Systems Administrator
sberube at zeroknowledge.com






More information about the cypherpunks-legacy mailing list