================================================================ This example incident report is void - for testing purposes only ================================================================ From: Person1 Surname1 Organization: Organization2 To: CERT Subject: DoS (flooding) against our network from 10.30.145.0/24 Date: Thu, 28 Jun 2001 12:23:38 +0200 Dear Sir / Madam, Oour intrusion detection facilities have detected a Denial of Service Attack from your network against one of our Dial-In customers. Because these ip-data-flooding could also affect our infrastructure, we take this matter very seriously and would appreciate your help in resolving this matter. We suppose that one of your systems was hacked and is now used for this DoS attack by using IP-spoofing of the local network to hide his true identity or it is a DDoS from all systems from the logged network. The source of these flooding was: * 10.30.145.0/24 The DoS attack have started on Monday morning and is still running. At the end of this message you find some examples from our Log-File. Timezone is UTC/GMT. Please, I need the appropiate actions were taken inmediatly get back to us when you have some feedback on it. Best regards, Person1 Surname1 -- Person1 Surname1 Security Manager of Organization2 Tel/Fax: +00 22 44 55 22 e-mail: PS@organization2.es ---------logs------------- Jun 27 14:02:15.167: %SEC-6-IPACCESSLOGP: list 169 permitted tcp 10.30.145.177(0) (POS5/0/0 *PPP*) -> 172.16.30.143(0), 1 packet Jun 27 14:02:16.187: %SEC-6-IPACCESSLOGP: list 169 permitted tcp 10.30.145.81(0) (POS5/0/0 *PPP*) -> 172.16.30.143(0), 1 packet Jun 27 14:02:17.187: %SEC-6-IPACCESSLOGP: list 169 permitted tcp 10.30.145.124(0) (POS5/0/0 *PPP*) -> 172.16.30.143(0), 1 packet Jun 27 14:02:19.203: %SEC-6-IPACCESSLOGP: list 169 permitted tcp 10.30.145.8(0) (POS5/0/0 *PPP*) -> 172.16.30.143(0), 1 packet Jun 27 14:02:20.203: %SEC-6-IPACCESSLOGP: list 169 permitted tcp 10.30.145.173(0) (POS5/0/0 *PPP*) -> 172.16.30.143(0), 1 packet Jun 27 14:02:21.227: %SEC-6-IPACCESSLOGP: list 169 permitted tcp 10.30.145.180(0) (POS5/0/0 *PPP*) -> 172.16.30.143(0), 1 packet -------------------------- traffic statistic during Jun 27. 19:30 to 19:45 (approximately log-time 15 minutes): number of source IP packets ---------------------------- 5 10.30.145.4 11 10.30.145.5 4 10.30.145.8 4 10.30.145..9 7 10.30.145.12 11 10.30.145.81 6 10.30.145.116 4 10.30.145.117 8 10.30.145.120 4 10.30.145.121 5 10.30.145.124 5 10.30.145.125 5 10.30.145.128 6 10.30.145.129 5 10.30.145.132 8 10.30.145.133 7 10.30.145.136 7 10.30.145.137 9 10.30.145.140 8 10.30.145.141 9 10.30.145.144 6 10.30.145.145 6 10.30.145.148 6 10.30.145.149 6 10.30.145.152 8 10.30.145.153 10 10.30.145.156 4 10.30.145.157 7 10.30.145.160 8 10.30.145.161 7 10.30.145.164 7 10.30.145.165 9 10.30.145.168 5 10.30.145.169 6 10.30.145.172 3 10.30.145.173 4 10.30.145.176 12 10.30.145.177 12 10.30.145.180 5 10.30.145.181 5 10.30.145.184 7 10.30.145.185 6 10.30.145.188 7 10.30.145.189 5 10.30.145.192 2 10.30.145.193 9 10.30.145.196 10 10.30.145.197 4 10.30.145.200 8 10.30.145.201 5 10.30.145.204 4 10.30.145.205 6 10.30.145.208 4 10.30.145.209 6 10.30.145.212 6 10.30.145.213 7 10.30.145.216 4 10.30.145.217 7 10.30.145.220 4 10.30.145.221 10 10.30.145.224 5 10.30.145.225 5 10.30.145.228 9 10.30.145.229 12 10.30.145.232 6 10.30.145.233 4 10.30.145.236 7 10.30.145.237 9 10.30.145.240 11 10.30.145.241 5 10.30.145.244 3 10.30.145.245 7 10.30.145.248 6 10.30.145.249 6 10.30.145.252 5 10.30.145.253