Security Incidents mailing list archives

Re: TCP connections to port 1024 - DDoS?

From: Mike Lewinski <mike () ROCKYNET COM>
Date: Wed, 25 Oct 2000 10:02:23 -0600

"Dave Dittrich" <dittrich () cac washington edu> wrote:

I don't think those are connection attempts, rather the result of
SYN flooding using your DNS (or mail, or whatever) server:


I agree that's possible, and have been wondering if we're not seeing the
fallout from other attacks. However, we've been seeing this pretty regularly
(every couple hours or more frequently), for weeks now, so these hosts must
be under almost _continuous_ attack (I'm assuming that the kiddies are
cycling through a list of known good hosts who's addresses they're
forging).... it does seem that each new round is aimed at a different
address on our net.

Is it possible to use an ACL to block this at the border (without
interfering with other services)? If so, what would that look like?
Obviously we can't just block port 1024. Also, FWIW, I can't say that I've
seen any privileged source ports (less than 1024) on these. But with SYN
floods that's what you want to do, right? Something's still not completely
adding up here...

Mike


P.S. Here's another partial dump, this time with the payload (nothing
interesting that I can see when its decoded). This came in just moments
ago....

09:45:49.008009 64.37.200.46.36169 > x.y.z.z.1024:
S 44474017:44474017(0) ack 44474016 win 4128 <mss 536>
                         4500 002c 0000 0000 f706 14c9 4025 c82e
                         cea8 d806 8d49 0400 02a6 9ea1 02a6 9ea0
                         6012 1020 08b8 0000 0204 0218 0000

09:45:49.008076 64.37.200.46.36170 > x.y.z.z.1024:
S 44474018:44474018(0) ack 44474017 win 4128 <mss 536>
                         4500 002c 0000 0000 f706 14c9 4025 c82e
                         cea8 d806 8d4a 0400 02a6 9ea2 02a6 9ea1
                         6012 1020 08b5 0000 0204 0218 0000

09:45:49.008143 64.37.200.46.36171 > x.y.z.z.1024:
S 44474019:44474019(0) ack 44474018 win 4128 <mss 536>
                         4500 002c 0000 0000 f706 14c9 4025 c82e
                         cea8 d806 8d4b 0400 02a6 9ea3 02a6 9ea2
                         6012 1020 08b2 0000 0204 0218 0000

09:45:49.027889 209.249.97.40.33067 > x.y.z.z.1024:
S 16434398:16434398(0) ack 16434397 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 eafa d1f9 6128
                         cea8 d806 812b 0400 00fa c4de 00fa c4dd
                         6012 1020 a0e5 0000 0204 0218 0000

09:45:49.028283 209.249.97.40.33068 > x.y.z.z.1024:
S 16434399:16434399(0) ack 16434398 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 eafa d1f9 6128
                         cea8 d806 812c 0400 00fa c4df 00fa c4de
                         6012 1020 a0e2 0000 0204 0218 0000

09:45:49.028351 209.249.97.40.33069 > x.y.z.z.1024:
S 16434400:16434400(0) ack 16434399 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 eafa d1f9 6128
                         cea8 d806 812d 0400 00fa c4e0 00fa c4df
                         6012 1020 a0df 0000 0204 0218 0000

09:45:49.036532 64.14.200.154.14033 > x.y.z.z.1024:
S 45017479:45017479(0) ack 45017478 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 1574 400e c89a
                         cea8 d806 36d1 0400 02ae e987 02ae e986
                         6012 1020 c8fe 0000 0204 0218 0000

09:45:49.036599 64.14.200.154.14034 > x.y.z.z.1024:
S 45017480:45017480(0) ack 45017479 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 1574 400e c89a
                         cea8 d806 36d2 0400 02ae e988 02ae e987
                         6012 1020 c8fb 0000 0204 0218 0000

09:45:49.036667 64.14.200.154.14035 > x.y.z.z.1024:
S 45017481:45017481(0) ack 45017480 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 1574 400e c89a
                         cea8 d806 36d3 0400 02ae e989 02ae e988
                         6012 1020 c8f8 0000 0204 0218 0000

09:45:49.085012 194.205.125.26.45915 > x.y.z.z.1024:
S 8956673:8956673(0) ack 8956672 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 de34 c2cd 7d1a
                         cea8 d806 b35b 0400 0088 ab01 0088 ab00
                         6012 1020 968d 0000 0204 0218 0000

09:45:49.085079 194.205.125.26.45916 > x.y.z.z.1024:
S 8956674:8956674(0) ack 8956673 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 de34 c2cd 7d1a
                         cea8 d806 b35c 0400 0088 ab02 0088 ab01
                         6012 1020 968a 0000 0204 0218 0000

09:45:49.085146 194.205.125.26.45917 > x.y.z.z.1024:
S 8956675:8956675(0) ack 8956674 win 4128 <mss 536>
                         4500 002c 0000 0000 f606 de34 c2cd 7d1a
                         cea8 d806 b35d 0400 0088 ab03 0088 ab02
                         6012 1020 9687 0000 0204 0218 0000

09:45:49.107476 62.26.119.34.35050 > x.y.z.z.1024:
S 40162541:40162541(0) ack 40162540 win 4128 <mss 536>
                         4500 002c 0000 0000 f506 69e0 3e1a 7722
                         cea8 d806 88ea 0400 0264 d4ed 0264 d4ec
                         6012 1020 f419 0000 0204 0218 0000

Current thread:

TCP connections to port 1024 - DDoS? Abe Getchell (Oct 24)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)
  - Re: TCP connections to port 1024 - DDoS? Corey Merchant (Oct 26)
  - Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 26)
    - Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 26)
- <Possible follow-ups>
- Re: TCP connections to port 1024 - DDoS? Abe Getchell (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 25)
  - Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
    - Re: TCP connections to port 1024 - DDoS? Peter Gamache (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Bowman, Kevin (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 28)