[Techtalk] Weird http leeches
Dave North
dave at timocharis.com
Mon May 13 10:01:32 EST 2002
Rosie:
> I am really tired, so hopefully I'm getting this right..
You did!
> This sounds a whole lot like what happened surrounding the DRDOS attack
> against Steve Gibson at grc.com this past January. If you haven't seen
> it, check out his page about it:
> http://grc.com/dos/drdos.htm
That was exactly it. And at least I have the tiny gratification of knowing
that (a) I mostly figured it out and (b) am doing the right thing by
dropping the packets. Thank you very much for that.
I'm hope that (c) he's not right that little can be done to locate
these punks.
John:
> I think this is a discussion of the same problem:
> http://online.securityfocus.com/archive/75/256047/2002-02-10/2002-02-16/0
Indeed it looks very much like one of the online comments quoted by Steve
in the above article, and clearly refers to the same thing.
It's interesting getting a grasp on the nature of this mess.
Thanks again!
At the very least, I suppose, I'd suggest anyone running a server keep an
eye out for persistent small numbers of SYN_RECV traffic (if you're
running bsd, it's slightly different ... but I suppose all such would be
on bsdchix, right?) and block those IPs (they're unlikely to actually want
access to your machine, so it's a "mercy killing," even though the listed
address is not your tormentor -- you are its tormentor!)
More on this as/if I find out anything.
Dave
More information about the Techtalk
mailing list