Security Incidents mailing list archives
Re: TCP connections to port 1024 - DDoS?
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Tue, 24 Oct 2000 15:11:45 -0700
On Mon, 23 Oct 2000, Mike Lewinski wrote: I don't think those are connection attempts, rather the result of SYN flooding using your DNS (or mail, or whatever) server:
21:39:54.098092 64.37.200.46.42959 > x.y.z.z.1024: S 21101218:21101218(0) ack 21101217 win 4128 <mss 536> 21:39:54.118927 209.249.97.40.53307 > x.y.z.z.1024: S 23688402:23688402(0) ack 23688401 win 4128 <mss 536>
Notice the "S" and "ack" on each line. TCP uses a three-way handshake, the start of which looks like this: 14:59:53.831500 eth0 < 192.168.0.1.1340 > 10.0.0.1.9999: S 283093600:283093600(0) win 32120 <mss 1460,sackOK,timestamp 11386673 0,nop,wscale 0> (DF) [SYN packet with client's ISN] 14:59:53.831661 eth0 > 10.0.0.1.9999 > 192.168.0.1.1340: S 297222737:297222737(0) ack 283093601 win 32120 <mss 1460,sackOK,timestamp 92836380 11386673,nop,wscale 0> (DF) [SYN|ACK, acknowledging client's ISN and giving servers ISN] 14:59:53.831961 eth0 < 192.168.0.1.1340 > 10.0.0.1.9999: . 1:1(0) ack 1 win 32120 <nop,nop,timestamp 11386673 92836380> (DF) 15:00:05.325797 eth0 < 192.168.0.1.1340 > 10.0.0.1.9999: P 1:8(7) ack 1 win 32120 <nop,nop,timestamp 11387822 92836380> (DF) 15:00:05.325962 eth0 > 10.0.0.1.9999 > 192.168.0.1.1340: . 1:1(0) ack 8 win 32120 <nop,nop,timestamp 92837529 11387822> (DF) [ACK (sometimes with "P"ush bit set as well) packets back and forth after that, until RST or FIN] What you are seeing are only the SYN|ACK packets. I think someone is DDoS flooding other sites, spoofing your systems' IP addresses and using DNS or SMTP/IMAP/whatever as the source port, and you are seeing the fallout. The "sources" of these packets would be the targets of the attack. P.S. Whenever you see something strange, send in packet dumps of it. What you think you are seeing may not be what is actually happening, and the attackers may be victims themselves (or not involved at all in the case of source address forgery.) -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- TCP connections to port 1024 - DDoS? Abe Getchell (Oct 24)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Corey Merchant (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 26)
- <Possible follow-ups>
- Re: TCP connections to port 1024 - DDoS? Abe Getchell (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Peter Gamache (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Bowman, Kevin (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Turpin, Jason (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 27)
- Re: TCP connections to port 1024 - DDoS? Dave Dittrich (Oct 28)
- Re: TCP connections to port 1024 - DDoS? Mike Lewinski (Oct 25)