[NTLUG:Discuss] How does 'ip address spoofing work'?

Kipton Moravec kip at kdream.com
Sat Jul 5 11:26:25 CDT 2003 

http://grc.com/dos/grcdos.htm

Has the experience of one guy.

In you have to filter each address.  Most likely it is NOT spoofing, but 
someone who has placed robots on each of the computers without the owners 
knowledge.

Kip


At 10:44 AM 7/5/03, you wrote:

>One of my web server is under a DOS attack right now.
>The error log shows that it's coming from 180 different
>IP Addresses.
>
>Here is a little of what my error log shows:
>[Sat Jul  5 10:07:47 2003] [error] [client 195.134.208.2] MySQL user 
>giampi09 not found: /members/
>[Sat Jul  5 10:07:47 2003] [error] [client 213.156.39.4] MySQL user 
>cchatterton not found: /members/
>[Sat Jul  5 10:07:48 2003] [error] [client 203.151.63.70] MySQL user 
>scotsman not found: /members/
>[Sat Jul  5 10:07:48 2003] [error] [client 209.88.51.30] MySQL user 
>kricket not found: /members/
>[Sat Jul  5 10:07:49 2003] [error] [client 200.204.182.137] MySQL user 
>Toddio not found: /members/
>[Sat Jul  5 10:07:49 2003] [error] [client 209.88.51.20] MySQL user frigid 
>not found: /members/
>[Sat Jul  5 10:07:51 2003] [error] [client 195.6.98.28] MySQL user 
>almond62 not found: /members/
>[Sat Jul  5 10:07:52 2003] [error] [client 62.240.35.226] MySQL user 
>flaming not found: /members/
>[Sat Jul  5 10:07:52 2003] [error] [client 62.68.48.218] MySQL user kdwell 
>not found: /members/
>[Sat Jul  5 10:07:52 2003] [error] [client 200.38.97.6] MySQL user shitter 
>not found: /members/
>[Sat Jul  5 10:07:53 2003] [error] [client 213.253.75.230] MySQL user 
>holey not found: /members/
>[Sat Jul  5 10:07:53 2003] [error] [client 196.40.75.69] MySQL user framed 
>not found: /members/
>[Sat Jul  5 10:07:53 2003] [error] [client 216.160.18.30] MySQL user 
>shoulder not found: /members/
>[Sat Jul  5 10:07:55 2003] [error] [client 206.219.71.67] MySQL user 
>channel not found: /members/
>[Sat Jul  5 10:07:55 2003] [error] [client 65.171.68.4] MySQL user 
>greenfin not found: /members/
>[Sat Jul  5 10:07:56 2003] [error] [client 66.82.80.161] MySQL user geoff 
>not found: /members/
>[Sat Jul  5 10:07:56 2003] [error] [client 200.3.154.17] MySQL user 
>bigboobs not found: /members/
>
>basically, they are accessing a password protected area and seeing
>different userids exist. there have been 30K hits over the last
>couple of hours.
>
>So... either this is a bunch of hacked servers all attacking
>me in a concerted effort....  or someone is doing some sort of address
>spoofing ( pretending to be ) different addresses.
>
>So... if it's the latter... how does that work exactly? Does the attack
>have to be local to the network or can it be remote. If it's remote...
>do they have ZERO intentions of the response getting back to them and
>they are just trying to crash the server or what? I'm assuming if it's
>remote... the response is going to go to the address that is listed
>and it's not going to make it back to them.....
>
>Anyone know how these people work/think exactly?
>
>jack
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss

More information about the Discuss mailing list