Subject: Dist DoS and thank you.
To: None <tech-security@netbsd.org>
From: Stephen M Jones <smj@cirr.com>
List: tech-security
Date: 09/07/2001 19:50:08
Hi Folks .. 

I was able to subdue the 'port flooding' for now.  Basically, as odd
as it may seem, those requests were being sent from legitimate IP
addresses.  It was a carefully planned and organised attack and I've
notified each network.  Not unlike some we've seen before in the past.

The tools I used:  tcpdump, sed, awk, ksh, and ipf ..

Basically I took down the webserver and used tcpdump to listen to 
attempts to connect to port 80:

tcpdump -n host ip and port 80

and wrote it out to a file.  

I checked back in 45 minutes to generate a list of IP addresses and
how many requests were made using ksh sed and awk .. which then wrote
firewall rules for those IPs and ipf ate that .. the ping times went
down and I could then bring the webserver backup.  I'm monitoring 
for any lower bandwidth sites that were involved.  As Chris suggested
its a bit of a pain to weed out malicious from poxy cache, but I'm 
doing what I can.  They were mostly from Eastern Europe (our network
is in the western united states).

I'd like to say thank you for your suggestions and participation in
the thread..  Thank you!

SMJ