Security Incidents mailing list archives
Re: Port 80 SYN flood-like behavior
From: Thierry Zoller <support () sniff-em com>
Date: Fri, 15 Feb 2002 13:28:05 +0000 (GMT Standard Time)
<Enter Conspiracy Theory here ;)>
I read that to mean that the intermediary was seeing reflected SYN {ACK|RST} packets directed at *different* targets over time (most attacks only last a few minutes at a time). In Steve's case, the attackers directed the attack only at grc.com for an extended period of time. Two different attackers, with two different MOs.
Ack, the question would then have to be, why choose dialups as target, and if, why only a short period of time ("short" being relative to some)
Some attacks are directed at dialups, as well as end hosts. They usually are trying to take out an entire IRC channel's worth of clients, as well as the IRC servers, to do a "takeover".
Possible, but and you will agree you will find other attacks much more suitable than this attack, why not Syn-flood them directly for instance using dead hosts, so there ressources are hogged (open state connection) ?
Right. Spoofing is what allows the reflection to work. The reflection is blindly done against any of a number of services believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a router, as in Steve's case).
I doubt that if the service is alive or not it is of any importance here for the intended target (target in Mr. Gibson's view) see [2] If they choose a service which is alive shows that they intended to attack *that* server directy, since this is a way to hog there ressources other than bandwidth (be it os, stack, cpu) if no anti syn-flood mechanisms have been implented.
Some routers don't have all services running, so SYN RSTs are sent. Others do, so you only see SYN ACKs sent out.
[2] Which in this particular case isn't important (for the target), be it a SYN-ACKor RST-ACK Packets is of no importance to the "real" target (Mr. Gibson's viewpount), as it will be rejected or dropped anyways (if configured correctly). however it is possible also that they just wanted to squish another rst packet out of Mr. Gibsons box for every SYN-ACK packet which arrived, and thus create (yet) more bandwidth usage. Please correct me if anything above is wrong, I am always happy to learn out of my errors. == Zoller Thierry http://www.sniff-em.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Port 80 SYN flood-like behavior, (continued)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Matthew Leeds (Feb 13)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 13)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior John Elliott (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave (Feb 16)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Lewie Wolfgang (Feb 13)
- Re: Port 80 SYN flood-like behavior Thierry Zoller (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 14)
- Message not available
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)