Hi,
On 05-May-00, you wrote:
> I hope someone here has any clue or suggestion about the following. For
> quite some days now I am having problems while chatting on IRC, a user
> there doesn't seem to like me and floods me offline everytime he sees
> me. He uses Linux behind a firewall and seems to know quite some stuff
> (some say he's a hacker).
Yep a skr1pt k1dd13 :P
> Anyway, for what I have seen, he sends lots of
> packets to my connection, overloading it thus. Miami detects a ping
> flood (and ignores the pings I guess) but still I end up disconnected,
> the modem (TKR TriStar V34 28.8) goes crazy.
That'll be the huge number of packets hes sending.
> Well, is there any way to protect myself against such flood attacks ? I
> use Miami3.2b, and have thought about adding the IPs he floods from to
> the IP-Filter, but it seems they differ every time he does so, and apart
> that would not really help to keep my line clean, no ? The attacks don't
> go through IRC, since AmIRC doesn't detect any floods. I am quite
> helpless here and hope I had an ADSL connection.
Different every time a packet comes through, or different each individual
attack? I suspect that they are spoofing the ping packets, by making up a
raw packet with a random source IP address. - This isn't as difficult as you
might think. If he uses Linux, he'll either own a box or be on a
dialup - because to send raw packets he'll need root access to the machine.
If he h4xx0r3d in and got root on the box he wouldn't be wasting time
flooding people on IRC with ICMP.
> I will EMail my ISP also and ask them for advice, but until then... I am
> not sure if they can get to that person, since even when on IRC he seems
> to hide his real IP address.
Tell your ISP exactly what happens, and give them any logs you can get from
Miami. They might be able to find the floods in their logs. Keep a note of
the IP you had when he flooded you, and give them that too. Even though the
packets are probably spoofed, if the logs at each site his packet travelled
though are extensive enough, it might be possible to trace the route the
packet came through - I wouldn't hold out hope for that one, thats more how
the likes of the FBI trace people who break into banks, rather than ICMP
floods.
He is probably using a socks proxy - often called a wingate although wingate
does much more than just socks. If his username on IRC has a ~ in it, hes
probably on a proxy.
-eg-
MadSci!~[EMAIL PROTECTED]
I wouldn't condone you port scanning the IP he uses on IRC, but go find an
IRCop - using an anonymous proxy to IRC on your network might be disallowed,
they might be able to check the IP for a proxy.
Regards
--
Iain Simpson
The Xnet IRC Network
Co-Admin - canadian.on.ca.Xnet.org
[EMAIL PROTECTED], [EMAIL PROTECTED]
ICQ: 28874286
__________________________________________________________
AmIRC Mailing List - Info & Archive: http://www.vapor.com/
For Listserver Help: <[EMAIL PROTECTED]>, "HELP"
To Unsubscribe: <[EMAIL PROTECTED]>, "UNSUBSCRIBE"
