I am losing 90% of my bandwidth the last two days from DOS attacks. They come from a wide range of IP addresses (prob being spoofed, Zonealarm cant resolve a lot of them). I get an average of 1 zonealarm alert per second. I accumulated 500 in just a few minutes. I did not have an antivirus on this machine, it is a new build. And ZA is not catching anything outgoing. I guess someone got my IP address, somebody I pissed off? I could reformat, but if they know my ip address anyway... Can I call @home and get a new IP lease?

Any help in dealing with it would be appreciated.

Is your cable connection on static IP? If it's dynamic, you shouldn't have to worry about it. If you're using Win2k, just type ipconfig /all or winipcfg /all for Win98 and it will show you the IP lease term (how often the IP number changes).


Thanks for the correction, ^hyd^! http://www.sysopt.com/forum/smile.gif Yes, I did make a booboo. Just been a while since I've used Win98. It's been about 3 years now and I try to stay away from it as far as possible! http://www.sysopt.com/forum/biggrin.gif

[This message has been edited by NDC (edited 08-06-2001).]

Just a guess, but could it be the code red 2 virus?

"The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
http://slashdot.org/articles/01/08/05/0433219.shtml

Yes I can concure with that info. I have been getting hit left and right from within my subnet as of late. I surely wish people would keep their servers a bit more upto date with the avaliable security patches and such, But many dont do them (the patches) as they might require a reboot and they dont want to lose their "uptime" which I feel is a stupid reason overall.

Is this why my cable modem and firewall are showing so many hits? I'm probably getting as many as 1-5 packets a second bouncing off the firewall, and it's been going on since yesterday afternoon. Luckily, the firewall is blocking the hits, so far.

Here is some additional info as well as a hopeful fix for those of us with Cisco routers
http://forums.digitalmntsnow.com/topic.asp?TOPIC_ID=197&FORUM_ID=4&CAT_ID=3&Topic_Title=Code+Red+2+Alert%2E%2E%2E%2Eand+Possia ble+Fix&Forum_Title=The+Lounge

Boy, Am I glad I haven't gotten any of those attempted attacks over my pinpipe (56k). My firewall (ipchains on SuSE 7.2) would have filtered it, but it still would have slowed me waay down.

BTW: SuSE Linux 7.2 Rules!

Thanks for the info. Zonealarm shows 49 new warnings over the last few hours, so it has definately slowed. This after I took off Win2k server and installed Pro.

Hi everyone,

I would be gratefull if someone could shed some light on "CodeRed" for me. Is it really DoS attacking home users?

As far as I new the worm only executed DoS attacks against specific US government sites (although this would increase overall internet traffic to a certain level).

I was under the impression that the worm looks for a vulnerable service runing as standard on Microsoft IIS (web) servers and performs a buffer overflow attack to gain access to the system. From there the worm searches for other vulnerable systems to exploit & then DoS's various websites at a pre-set time.

Surely this shouldn't disrupt most of us in a big way as we don't run IIS on our home machines.

Do I really need to be worried about Code Red?

TIA

Eddy

I was running IIS on mine, though I had not really done anything with it yet.



[This message has been edited by wyvrn (edited 08-05-2001).]

err, you made a booboo NDC! http://www.sysopt.com/forum/smile.gif For win98 its winipcfg /all, not winipconfig!
http://www.sysopt.com/forum/wink.gif

ciao!



[This message has been edited by ^hyd^ (edited 08-05-2001).]

This explains a lot, i was at my sisters and her Recieve light was going nuts, so was send, so I put in a firewall (zonealarm0 and started bouncing off about 1 per second from varying places, and had 2 portscans attempted. (3400-4200) then install norton Antivirus and had to clean 200+ infected files with w32.funlove4099....... guess any computers it can get into it's dumping a virus. any others it's poundthe lights out of them. BTW now it's just the recieve light that's going nuts.

I tried to go to more info on zone alarm and this is the first time that I could not get thru.
My alert popup window was going nuts.
I had to uncheck it so that I wouldn't have to click it every 10 seconds...

Ok I have reformatted my drive and reintalled Win2k, with ZA before I even connected my NIC. Downloading F-PROT antivirus now. The bombardment has stopped, only 4 http probes so far. No ICMP packets yet. It must have been the virus. Looks like my wife might have infected my computer yesterday when reading her email. She gets this sh** all the time from her friends that don't ever scan their computer. I just spent 30 minutes teaching her how to avoid viruses. I think I am going to write an email on the same thing and send it to all of her friends.

How does Code Red work? Nothing was outgoing, so did it send 1 packet with my IP addy out to a remote server? Or does it just hit every ip address in Class A and B at random?

As far as my cable modem goes, I almost always get the same IP address I had before on new leases.

[This message has been edited by wyvrn (edited 08-05-2001).]