Tracking stealth portscan/pepsi attacks
Jonas Luster j.luster at cert.gigabell.net
Wed Sep 1 13:09:02 CEST 1999
[ Quoting Petra Zeidler <zeidler at xlink.net> ]: > there seems to have been quite a wash of stealth portscans and/or pepsi > attacks lately (stealth portscan: you portscan with 99% of the sender Even worse (at least here): There's a modified Version of Pepsi5 around letting the attacker control his bot via ICMP which allow control even when the net is nearly down due to the UDP attacks. > cybercity.dk must have been seeing some of these attacks pass, first glance > judging from http://stat.cybercity.dk/ripe/ and the fallout in de.xlink > (where I positively know the addresses not to be routed) and de.zz (where > most of the address space is handled by RIPE nowadays). Same goes for de.IPF where these type of attacks caused quite a bit work and manpower to be wasted. The last few weeks I've been working fulltime just on these problems. > I'd like to have a chance to catch the perpetrators. This would need to be > a multi-provider cooperation in the majority of cases. > Do we have an appropriate forum to discuss this at the next RIPE meeting? I'd vote for a WG focussing on these things. IIRC there have been plans on a RIPE-Security WG around RIPE-29 or 30. If there's a bigger interest on this topics what about a Security-BOF next RIPE? In general, net-abuse has become one of the major problems these days, included but not limited to attacks, scans, mailbombs, a.s.o. regards, Jonas Luster -- Gigabell AG / Frankfurt Signed / encrypted maol welcome Chief Security Engineer Key to be found on the known places j.luster at cert.gigabell.net Securing the net of the future
[ lir-wg Archives ]