IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-012

"Ongoing DDoS Disruption Attempts."
May 05, 2001

The NIPC has received reliable information indicating ongoing attempts to disrupt web access to several sites. The activity has been seen from several networks, and consists entirely of fragmented large UDP packets directed at port 80. Analysis indicates that this activity may be intended to bypass standard port/protocol blocking techniques, as certain major routing equipment manufacturer's products will block the first fragment of a large UDP packet, but may not block subsequent packets, thereby permitting the denial of service to continue.

Systems and network administrators are advised to inspect their facilities (i.e., firewall logs) for the presence of fragmented UDP packets directed at port 80. Inbound packets of this type indicate that a denial of service to the network in question may be underway. Outbound packets of this type indicate that there is a high likelihood that system(s) on the network in question are compromised and that DDoS tools are installed. Attempting to block this traffic at the IP-only level (as opposed to protocol-specific level like UDP) may have improved effectiveness.

Additionally, the NIPC has made available the "Find DDoS" tool to determine if your computer has been infected by a DDoS agent. The tool may be downloaded from:

www.nipc.gov/warnings/advisories/2000/00-55.htm

Recipients of this alert are encouraged to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at http://www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch@fbi.gov.