DoS attack from iBurst network?

[Grimsqueaker]

I have been picking up what Sygate firewall thinks is a Code Red DoS attack from the 196.46 network which seems to be the WBS IP range. The IP address changes in this network but the remote MAC is always 01-00-20-00-01-00. The event lasts for a few minutes and normally happens less than 10 times. I have been using the "stop all active response" function which seems to make Sygate happy.

Has anyone else experienced this? Does anyone know if this is Sygate making a stupid mistake like assuming that Windows help is a hijack?

Backtracing and using whois yields the following:

OrgName: African Network Information Center
OrgID: AFRINIC
Address: CSIR/icomtek
Address: 43A
Address: PO Box 395
City: Pretoria
StateProv: Gauteng
PostalCode: 0001
Country: ZA

NetRange: 196.46.0.0 - 196.46.15.255
CIDR: 196.46.0.0/20
NetName: AFRINIC-196-46-0-0
NetHandle: NET-196-46-0-0-1
Parent: NET-196-0-0-0-0
NetType: Transferred to AfriNIC
Comment: This IP address range is under AFRINIC responsibility.
Comment: Please see http://www.afrinic.net/ for further details,
Comment: or check the WHOIS server located at whois.afrinic.net.
RegDate: 2005-02-21
Updated: 2005-02-21

OrgAbuseHandle: GENER11-ARIN
OrgAbuseName: Generic POC
OrgAbusePhone: +230 4666616
OrgAbuseEmail: [email protected]

# ARIN WHOIS database, last updated 2005-05-23 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

 

[slimothy]

DoS aint a hijack its simply sending more data than you can handle till it knocks something offline either your whole box or the service, code red is extremly old so I don't think its that although there are only a few variations of DoS attacks (DDoS, DRDoS, Syn etc.) and the one the code red worm used is the most common.

The whole point of a DoS attack is to watch the payload, so the attacker will target a specific person/website/service and watch it go offline so if this is indeed a valid attempt at a DoS its more than likely from someone you know or pissed off on a service where they could see your IP, like IRC or whatever.

Here's the thing, if i was to use my connection to DoS another iBurst connection it would be in vain, the only way you knock someone off with that variation of the attack is if you completly swamp them with data, so a 10mbit sending data at max capacity to a 1mbit (UDP of course) would work, 1mbit to 1mbit wouldn't, so all in all its probably a false alarm.

Tracing an IP of a DoS attack is pointless, see the data is sent over UDP which is a conectionless protocol so the attacker can (and will 99.999% of the time) spoof the Ip (every tool ive ever seen does exactly that) since they dont need to recieve any data back from you, so the attack can look like it originated from anywhere, so that is probably not the IP the packets were sent from.

Of course if it were automated it would be a DDoS attack but you have one IP there so I'd assume it wasnt one of those either.

Alot of firewalls will "detect" a DoS attack even if they recieve 2 fake syn packets, which is entirley likely with all the spybots and automated exploits constantly scanning the internet for vulnerable hosts and services so I'd say this is nothing to be worried about at all, syn attacks can be prevented but straight DoS, DRDoS and DDoS attacks are hard to prevent unless you use a proxy firewall (in which case the proxy gets knocked off the net instead of you), at best the firewall records it or notifies you of it just before it knocks you off, so the fact you never got knocked off means it wasnt a real DoS attack, it just looked that way to the firewall.

In the event you were to get DoSd or DDoSd your connection dies, you recconect and its all over because you have a shiny new IP, its really nothign to worry about. DoS attacks arent too much of a problem unless you have a static IP, exploits on the other hand I'd be worried about

 

[Grimsqueaker]

Thanks for the help.