[Snort-users] mirkforce IRC attack

Andrew Daviel andrew at ...523...
Thu Mar 8 19:30:29 EST 2001

Just found an IRC attack tool "mirkforce" (see eg.

The packet data is probably standard IRC "nick xxx", but the
attack seems to spoof unoccupied addresses in a class C subnet and use an
incrementing source port on the one machine.

This is a bitch to find unless you have ARP logs, since the
hacked machine does not use its own ip to connect to the target

21:53:36.416252 aaa.bbb.ccc.12.1250 > xxx.yyy.112.62.6667: S
804647496:804647496(0) win 32120 <mss 1460,sackOK,timestamp
12453625[|tcp]> (DF
21:53:36.417145 aaa.bbb.ccc.13.1251 > xxx.yyy.112.62.6667: S
806447041:806447041(0) win 32120 <mss 1460,sackOK,timestamp
12453625[|tcp]> (DF
21:53:36.417517 aaa.bbb.ccc.18.1252 > xxx.yyy.112.62.6667: S
810980329:810980329(0) win 32120 <mss 1460,sackOK,timestamp
12453625[|tcp]> (DF
21:53:36.418059 aaa.bbb.ccc.19.1253 > xxx.yyy.112.62.6667: S
796980633:796980633(0) win 32120 <mss 1460,sackOK,timestamp
12453626[|tcp]> (DF
21:53:36.418609 aaa.bbb.ccc.20.1254 > xxx.yyy.112.62.6667: S
807981272:807981272(0) win 32120 <mss 1460,sackOK,timestamp
12453626[|tcp]> (DF

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...

More information about the Snort-users mailing list