[Snort-sigs] New DDoS?

Andy Shelley andy at ...786...
Mon Aug 26 10:19:03 EDT 2002

Spotted today.... UDP packets with multiple source addresses (many, many 
sources... spoofed or trojan'd, unknown), single destination.  Packets 
were pretty much all the same size, with 848 byte payloads (a few were 
837).  Destination ports were fairly random, it appears, source ports 
ranged between 1024 and 5000.  Three types of payloads found:

1) +++ATH0 that repeats the entire payload... reminds me of the old ICMP 
based modem attack.
2) an entire payload of @
3) an entire payload of mostly symbols, reminiscent of comic strip 

3 sigs whipped up quickly to help spot:

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Modem Attack"; 
+ + +ATH0"; classtype:attempted-dos;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS AT Attack"; 
@"; classtype:attempted-dos;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Curse Attack"; 
&!%&!%"; classtype:attempted-dos;)

Has anyone seen such an attack before?  I've googled for the last hour, 
can't find a mention of those kind of payloads.

Andy Shelley
Cbeyond Communications
andy at ...786...

More information about the Snort-sigs mailing list