Security Incidents mailing list archives
Re: Port 80 SYN flood-like behavior
From: John Elliott <johne () trifidtech ca>
Date: Thu, 14 Feb 2002 00:10:21 -0500
On February 13, 2002 22:58 pm, Dave Dittrich wrote: [snip]
This attack used a variation of a TCP based reflection attack that is not widely known to exist in the wild. Steve's early analysis of the attack in included below (Appendix A). While there may be a new (D)DoS program "in the wild" to implement this attack, the risks and methods have been known for two or more years and some simple modifications to existing tools, and a good list of high-capacity routers, switches, and servers, could affect an attack of this type.
I have two web servers on different networks that have been receiving this type of traffic for the last 2 or 3 weeks. The same source IP's hit both hosts at about the same time. This is low rate traffic and generates ACK's back to the target. I have been logging this activity for about two weeks and have captured some of the packets. I suspect that more than one machine have the same reflector host list based on the varying times of day when activity occurs. A partial solution is for network operators (more likely ISP's) to do egress filtering to ensure that only IP source addresses that belong to their network leave their network. John Elliott ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 80 SYN flood-like behavior NESTING, DAVID M (SBCSI) (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Matthew Leeds (Feb 13)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 13)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior John Elliott (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave (Feb 16)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Lewie Wolfgang (Feb 13)
- <Possible follow-ups>
- Re: Port 80 SYN flood-like behavior Thierry Zoller (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 14)
- Message not available
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)