From: Ng Pheng Siong <ngps@cbn.com.sg>
Date: Mon, 8 Jan 96 05:49:26 PST
To: John Young <jya@pipeline.com>
Subject: Re: Toad Hop
In-Reply-To: <199601072043.PAA14996@pipe4.nyc.pipeline.com>
Message-ID: <Pine.SOL.3.91.960108212644.29684A-100000@cbn.cbn.com.sg>
MIME-Version: 1.0
Content-Type: text/plain


On Sun, 7 Jan 1996, John Young wrote:
> Quoting some body:
>    On Christmas Day 1994 the attack begins.
> 
>    First, the intruder breaks into a California Internet site
>    that bears the cryptic name toad.com. Working from this
>    machine, the intruder issues seven commands to see who's
>    logged on to Shimomura's workstation, and if he's sharing
>    files with other machines.

From Shimomura's mail last January:

: The IP spoofing attack started at about 14:09:32 PST on 12/25/94.  The first
: probes were from toad.com (this info derived from packet logs):
: 
: 14:09:32 toad.com# finger -l @target
: 14:10:21 toad.com# finger -l @server
: 14:10:50 toad.com# finger -l root@server
: 14:11:07 toad.com# finger -l @x-terminal
: 14:11:38 toad.com# showmount -e x-terminal
: 14:11:49 toad.com# rpcinfo -p x-terminal
: 14:12:05 toad.com# finger -l root@x-terminal

>    Then the automatic spoofing attack begins. It will all be
>    over in sixteen seconds. The prediction packet attack
>    program fires off a flurry of packets to busy out the
>    trusted Internet server so it can't respond. Next, the
>    program sends twenty more packets to Shimomura's UNIX
>    workstation.

Again, quoting Shimomura's mail:

: About six minutes later, we see a flurry of TCP SYNs (initial connection
: requests) from 130.92.6.97 to port 513 (login) on server...
: 130.92.6.97 appears to be a random (forged) unused address (one that will 
: not generate any response to packets sent to it)...

Given that this was a _spoofing_ attack, mayhaps the packets from toad.com 
were also forgeries. Anyone in the know?


- PS
--
Ng Pheng Siong <ngps@pacific.net.sg>
NetCentre Pte Ltd * Singapore

Finger for PGP key.