Re: (ASCEND) Max4030 Crash: DoS attack against dialup user

To: "Leland E. Vandervort" <lelandv@innotts.co.uk>
Subject: Re: (ASCEND) Max4030 Crash: DoS attack against dialup user
From: "Jeremy T. Bouse" <undrgrid@undergrid.net>
Date: Wed, 1 Jul 1998 09:35:55 -0400 (EDT)
cc: support@ascend.com, ascend-users@bungi.com, noc@innotts.net, noc@innotts.com, cindyc@innotts.net, allenc@innotts.net
In-Reply-To: <98070106572300.14709@alpha>
Sender: owner-ascend-users@max.bungi.com

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 1 Jul 1998, Leland E. Vandervort wrote:

> Date: Wed, 1 Jul 1998 06:19:51 +0100
> From: "Leland E. Vandervort" <lelandv@innotts.co.uk>
> To: support@ascend.com
> Cc: ascend-users@bungi.com, noc@innotts.net, noc@innotts.com,
>     cindyc@innotts.net, allenc@innotts.net
> Subject: (ASCEND) Max4030 Crash: DoS attack against dialup user
> 
> 00:19:14.821715 efnet.demon.co.uk.6667 > max-pool-p12.innotts.co.uk.1905: P 92:150(58) ack 15 win 64240 (DF)
> 00:19:15.183561 max-pool-p12.innotts.co.uk.1905 > efnet.demon.co.uk.6667: . ack 150 win 8421 (DF) [tos 0x7]
> 00:19:16.585216 efnet.demon.co.uk.6667 > max-pool-p12.innotts.co.uk.1905: P 150:197(47) ack 15 win 64240 (DF)
> 00:19:16.923657 max-pool-p12.innotts.co.uk.1905 > efnet.demon.co.uk.6667: . ack 197 win 8374 (DF) [tos 0x7] 
> 
	This appears to just be the user on IRC... connecting to an EFnet
server... nothing wrong here...

> 00:19:17.038114 51.68.124.172.21087 > max-pool-p12.innotts.co.uk.37835: udp 28 (frag 242:36@0+)
...
> 00:19:18.627889 [|udp] (frag 242:224@0+)                             
> 
	These appear to be your "kiddie" DoS attacker... Unfortunately I
would be willing to guess that they are all forged/spoofed so you may not
be able to use any information from them to figure out who it is or what
provider to make your complaint to...
	Most of the DoS attacks I've had against our users have been the
age old winnuke which placing blocks on ports 137-139 stops rather well...
and port 9 to stop the Ascend Kill 2 bounce exploit... I've also had
persons use other exploits against my home machine (Debian GNU/Linux 3.0)
such as nestea, boink, tear, newtear, land, etc and has not affected
either my machine or the maxen... Of course I have a firewall running on
my machine but the maxen was never locked up in either of these cases...
This may be a new exploit they were using, so checking rootshell.com for
the latest "toys" on the net may be in order...
	Sincerely,
	Jeremy T. Bouse
	System Administrator

    Jeremy T. Bouse - SouthNet TeleComm Services, Inc - www.STSI.net
  PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198  19D0593E50E597E9
 Public PGP key available by sending email with 'send pgpkey' in subject
     undrgrid@UnderGrid.net - NIC Whois: JB5713 - undrgrid@STSI.net
          /earth is 98% full ... please delete anyone you can.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNZo7P+ak13roPZrlAQHFawP/dA8Zhh7/MQ7rdJS+HWAKNuULijsxmhut
tc8l3vRKPXpPxkOLbEEhs9hQpI9hqzxeEDoUdBm5khX/bxF+uXT2pR2YRS+WSOq1
sHnpcuwxLJjVaeN54z5CWY7FOGjPoFpOUwU2x9WDJSxm99rnbq0xskZVeBUOixfn
jo9bdbJBKsQ=
=C9aK
-----END PGP SIGNATURE-----

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

(ASCEND) Max4030 Crash: DoS attack against dialup user

From: "Leland E. Vandervort" <lelandv@innotts.co.uk>

Prev by Date: (ASCEND) Erase P50?
Next by Date: Re: (ASCEND) Erase P50?
Prev by thread: (ASCEND) Max4030 Crash: DoS attack against dialup user
Next by thread: (ASCEND) More Disconnects with 6.1.3?
Index(es):
- Main
- Thread