Security Incidents mailing list archives
Re: TCP connections to port 1024 - DDoS?
From: Mike Lewinski <mike () ROCKYNET COM>
Date: Wed, 25 Oct 2000 10:02:23 -0600
"Dave Dittrich" <dittrich () cac washington edu> wrote:
I don't think those are connection attempts, rather the result of SYN flooding using your DNS (or mail, or whatever) server:
I agree that's possible, and have been wondering if we're not seeing the fallout from other attacks. However, we've been seeing this pretty regularly (every couple hours or more frequently), for weeks now, so these hosts must be under almost _continuous_ attack (I'm assuming that the kiddies are cycling through a list of known good hosts who's addresses they're forging).... it does seem that each new round is aimed at a different address on our net. Is it possible to use an ACL to block this at the border (without interfering with other services)? If so, what would that look like? Obviously we can't just block port 1024. Also, FWIW, I can't say that I've seen any privileged source ports (less than 1024) on these. But with SYN floods that's what you want to do, right? Something's still not completely adding up here... Mike P.S. Here's another partial dump, this time with the payload (nothing interesting that I can see when its decoded). This came in just moments ago.... 09:45:49.008009 64.37.200.46.36169 > x.y.z.z.1024: S 44474017:44474017(0) ack 44474016 win 4128 <mss 536> 4500 002c 0000 0000 f706 14c9 4025 c82e cea8 d806 8d49 0400 02a6 9ea1 02a6 9ea0 6012 1020 08b8 0000 0204 0218 0000 09:45:49.008076 64.37.200.46.36170 > x.y.z.z.1024: S 44474018:44474018(0) ack 44474017 win 4128 <mss 536> 4500 002c 0000 0000 f706 14c9 4025 c82e cea8 d806 8d4a 0400 02a6 9ea2 02a6 9ea1 6012 1020 08b5 0000 0204 0218 0000 09:45:49.008143 64.37.200.46.36171 > x.y.z.z.1024: S 44474019:44474019(0) ack 44474018 win 4128 <mss 536> 4500 002c 0000 0000 f706 14c9 4025 c82e cea8 d806 8d4b 0400 02a6 9ea3 02a6 9ea2 6012 1020 08b2 0000 0204 0218 0000 09:45:49.027889 209.249.97.40.33067 > x.y.z.z.1024: S 16434398:16434398(0) ack 16434397 win 4128 <mss 536> 4500 002c 0000 0000 f606 eafa d1f9 6128 cea8 d806 812b 0400 00fa c4de 00fa c4dd 6012 1020 a0e5 0000 0204 0218 0000 09:45:49.028283 209.249.97.40.33068 > x.y.z.z.1024: S 16434399:16434399(0) ack 16434398 win 4128 <mss 536> 4500 002c 0000 0000 f606 eafa d1f9 6128 cea8 d806 812c 0400 00fa c4df 00fa c4de 6012 1020 a0e2 0000 0204 0218 0000 09:45:49.028351 209.249.97.40.33069 > x.y.z.z.1024: S 16434400:16434400(0) ack 16434399 win 4128 <mss 536> 4500 002c 0000 0000 f606 eafa d1f9 6128 cea8 d806 812d 0400 00fa c4e0 00fa c4df 6012 1020 a0df 0000 0204 0218 0000 09:45:49.036532 64.14.200.154.14033 > x.y.z.z.1024: S 45017479:45017479(0) ack 45017478 win 4128 <mss 536> 4500 002c 0000 0000 f606 1574 400e c89a cea8 d806 36d1 0400 02ae e987 02ae e986 6012 1020 c8fe 0000 0204 0218 0000 09:45:49.036599 64.14.200.154.14034 > x.y.z.z.1024: S 45017480:45017480(0) ack 45017479 win 4128 <mss 536> 4500 002c 0000 0000 f606 1574 400e c89a cea8 d806 36d2 0400 02ae e988 02ae e987 6012 1020 c8fb 0000 0204 0218 0000 09:45:49.036667 64.14.200.154.14035 > x.y.z.z.1024: S 45017481:45017481(0) ack 45017480 win 4128 <mss 536> 4500 002c 0000 0000 f606 1574 400e c89a cea8 d806 36d3 0400 02ae e989 02ae e988 6012 1020 c8f8 0000 0204 0218 0000 09:45:49.085012 194.205.125.26.45915 > x.y.z.z.1024: S 8956673:8956673(0) ack 8956672 win 4128 <mss 536> 4500 002c 0000 0000 f606 de34 c2cd 7d1a cea8 d806 b35b 0400 0088 ab01 0088 ab00 6012 1020 968d 0000 0204 0218 0000 09:45:49.085079 194.205.125.26.45916 > x.y.z.z.1024: S 8956674:8956674(0) ack 8956673 win 4128 <mss 536> 4500 002c 0000 0000 f606 de34 c2cd 7d1a cea8 d806 b35c 0400 0088 ab02 0088 ab01 6012 1020 968a 0000 0204 0218 0000 09:45:49.085146 194.205.125.26.45917 > x.y.z.z.1024: S 8956675:8956675(0) ack 8956674 win 4128 <mss 536> 4500 002c 0000 0000 f606 de34 c2cd 7d1a cea8 d806 b35d 0400 0088 ab03 0088 ab02 6012 1020 9687 0000 0204 0218 0000 09:45:49.107476 62.26.119.34.35050 > x.y.z.z.1024: S 40162541:40162541(0) ack 40162540 win 4128 <mss 536> 4500 002c 0000 0000 f506 69e0 3e1a 7722 cea8 d806 88ea 0400 0264 d4ed 0264 d4ec 6012 1020 f419 0000 0204 0218 0000
Current thread:
- TCP connections to port 1024 - DDoS? Abe Getchell (Oct 24)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Corey Merchant (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 26)
- <Possible follow-ups>
- Re: TCP connections to port 1024 - DDoS? Abe Getchell (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Peter Gamache (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Bowman, Kevin (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 28)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)