Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 80 SYN flood-like behavior

From: Steve Gibson <bugtraq () grc com>
Date: Fri, 15 Feb 2002 11:39:09 -0800
Thierry,


<Enter Conspiracy Theory here ;)>

>I read that to mean that the intermediary was seeing reflected SYN
>{ACK|RST} packets directed at *different* targets over time (most
>attacks only last a few minutes at a time).  In Steve's case, the
>attackers directed the attack only at grc.com for an extended period
>of time.  Two different attackers, with two different MOs.

Ack, the question would then have to be, why choose dialups as
target, and if, why only a short period of time ("short" being relative
to some)
This is at least consistent with the "script kiddie" mentality we've seen with the "Bot armies" which, as Dave suggested, are often used to blast each other off the Net in "king of the mountain" style attempts to obtain IRC channel ownership, or to "punish" IRC hosts for imagined transgressions. 

______________________________________________________________________
Steve.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: