[Snort-users] Urgent!! ddos-stacheldraht server-spoof

Siddhartha Jain s_i_d_j at ...131...
Fri Mar 30 21:59:25 EST 2001


Hi,

I got 302 "ddos-stacheldraht server-spoof" alerts from 235 unique IPs to 4
destination IPs in 3 days. Is every alert one packet containing the attack
signature? Does this look like the beginning of a real ddos? This is typical
packet triggering the alert :-

[**] IDS193/ddos-stacheldraht server-spoof [**]
03/30-21:10:18.123939 0:3:31:BA:A8:A8 -> 0:A0:C9:FC:2D:7C type:0x800
len:0x3C
ss.ss.ss.ss -> dd.dd.dd.dd ICMP TTL:238 TOS:0x0 ID:16641 IpLen:20 DgmLen:32
DF
Type:8  Code:0  ID:666   Seq:1  ECHO
????
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

----------snip --------------------


Siddhartha


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-users mailing list