Synflooders

["A.L.Lambert" <alambert () SECURITYREALM COM>]

        Hrmmm... this would upset me if it was doing any kind of harm.
Someone is attempting to ddos one of my network segments, and having (so
far) no luck with it.  I find this extremely annoying, due to the huge
number of IDS alerts this is creating.

        According to the IDS, the attack is a shaft based synflood (which
for lack of a better explanation, I'd believe).  Whatever it is, it seems
well cordinated to hide the 'real' source IP addresses.  I've got a list
of well over 5,000 source IP's already (seems I've only gotten duplicate
packets from less than half the sources, most it appears are unique IP's
(although large chunks of them within the same ranges).

        Decoded packet sample is below; change the source IP and source
port (seems to hover in the 1000-1048 range so far) you know what all of
them look like.

03/28-12:16:12.752315 0:1:42:BB:EE:C1 -> 2:E0:52:34:75:3A type:0x800
len:0x3C 187.236.155.39:1024 -> x.x.x.x:80 TCP TTL:20 TOS:0x0 ID:28632
IpLen:20 DgmLen:40 ******S* Seq: 0x28374839 Ack: 0x0 Win: 0xFFFF TcpLen:
20

        Anyone who knows anything about the Shaft-DDoS tool, I would
appreciate some insight into what kind of clues I might have in my packet
dump's and log records as to the true origin of this attack (or even a
good lead on how to track down one of the hosts running the DDoS tool I
could start my back-tracking at), I would appreciate it.  I've got a
pretty good record of the attack, so any information not included here
that would help, just let me know.  Thanks in advance.
        
        Cheers!

--
A.L.Lambert
------------------------------------------------------------------------
The problems that exist in the world today cannot be solved by the level
of thinking that created them...
        -Einstein
------------------------------------------------------------------------