[WarpCast] Hobbes attacked by spoofed 0.0.0.0

[WarpCast] Hobbes attacked by spoofed 0.0.0.0 - 5/13/99




   Inet.Mail 1.3 -- The best mail server on OS/2 just got better!
    Audit Capabilities, More Spam Control, Improved Performance
         Visit us at http://www.hethmon.com/inetmail.html
         for full details. A free update for current users.
****************************** WarpCast ******************************
Source: Peter Skye (pskye@peterskye.com)
Moderator: Christopher B. Wright (wrightc@dtcweb.com)
**********************************************************************
 
Josh Shagam, the Hobbes site administrator, posted this to 
the Hobbes message line early Thursday morning.  (The 
message line appears when you run a Quick Search.  
http://hobbes.nmsu.edu/)  I *think* the "w4demo.zip" file 
utilized by the attacker is the OS/2 Warp 4 demonstration 
that runs on Windows.

-----

(05/13/1999) I should be happy because I'm done with all my 
finals. I'm not, however, as someone's been exploiting the 
sheer size of certain files to basically cause a DoS of 
Hobbes (and, as such, I had to temporarily 'remove'
w4demo in /pub/incoming). Does anyone know how to stop 
spoofed IP addresses, particularly when the address which 
is being spoofed is 0.0.0.0? To reject 0.0.0.0 would be to 
reject oneself, and that path leads only to self-hatred. 
I'd hate to think that someone were trying to maliciously 
cripple Hobbes, but the following snippet of the access-log 
(which is just four lines out of hundreds/thousands) tells 
me otherwise:

0.0.0.0 - - [13/May/1999:01:35:45 +0700] "GET 
/pub/incoming/w4demo.zip HTTP/1.09
0.0.0.0 - - [13/May/1999:01:35:45 +0700] "GET 
/pub/incoming/w4demo.zip HTTP/1.09
0.0.0.0 - - [13/May/1999:01:35:46 +0700] "GET 
/pub/incoming/w4demo.zip HTTP/1.09
0.0.0.0 - - [13/May/1999:01:35:46 +0700] "GET 
/pub/incoming/w4demo.zip HTTP/1.09

Please, no conspiracy theories about certain 
tool-challenged OS vendors trying to use a demo of a 
superior OS against its own best file archive in a bitter 
streak of poetic quasi-justice. I'd just like to know how 
to keep this from continuing to happen. Anyone have 
experience with configuring ICS to block IP addresses, for 
example? So far I haven't figured out how to do that (and 
I've been using ICS for what, 2.5 years now?) though it's 
trivial to do in Apache. *sigh* politics...






----------------------------------------------------------------------
To subscribe, unsubscribe, or for more information on
WarpCast, visit: http://www.warpcast.com/
----------------------------------------------------------------------
WarpCast Archives - Courtesy of VOICE International