Security Incidents mailing list archives
Re: Port 80 SYN flood-like behavior
From: Steve Gibson <bugtraq () grc com>
Date: Fri, 15 Feb 2002 11:30:40 -0800
Dave,
> Or RST for instance if the port is closed. Read : Spoofed Packet Right. Spoofing is what allows the reflection to work. The reflection is blindly done against any of a number of services believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a router, as in Steve's case). Some routers don't have all services running, so SYN RSTs are sent. Others do, so you only see SYN ACKs sent out.
I think there might be a bit more preparation going on than would be evident from your characterization that "the reflection is blindly done." My analysis of the attack revealed some RSTs among the SYN/ACKs, but those RSTs were the very few and far between, and they were not from the same IPs as the SYN/ACKs.
So, it did not look as though a list of routers (probably easily gleaned from traceroutes), was being sprayed with SYN's aimed at an array of typical router services.
And, there were other non-router machines involved, such as a collection of Yahoo.com web servers and even a machine whose IP resolved to "gary7.nsa.gov" (gotta love that Star Trek reference. :)
My take on the attack/tool is that some deliberate collection of open TCP ports on well-connected machines is being done in advance, and that list is then used to drive a SYN spraying utility of some form.
Given the other replies here, it appears that one of the resulting lists may be shared among multiple attackers.
In case you guys are curious, here's the list of 202 routers that were flooding us from their BGP port 179 ...
>------------------------------------------------------------------- 129.250. 28. 1 ge-6-2-0.r03.sttlwa01.us.bb.verio.net 129.250. 28. 3 ge-1-0-0.a07.sttlwa01.us.ra.verio.net 129.250. 28. 20 ge-0-1-0.a12.sttlwa01.us.ra.verio.net 129.250. 28. 33 ge-0-0-0.r00.bcrtfl01.us.bb.verio.net 129.250. 28. 49 ge-1-1-0.r01.bcrtfl01.us.bb.verio.net 129.250. 28. 98 ge-1-2-0.r00.sfldmi01.us.bb.verio.net 129.250. 28. 99 ge-1-0-0.a00.sfldmi01.us.ra.verio.net 129.250. 28.100 ge-1-1-0.a01.sfldmi01.us.ra.verio.net 129.250. 28.113 ge-1-2-0.r01.sfldmi01.us.bb.verio.net 129.250. 28.116 ge-1-1-0.a00.sfldmi01.us.ra.verio.net 129.250. 28.117 ge-1-0-0.a01.sfldmi01.us.ra.verio.net 129.250. 28.131 ge-0-3-0.a00.scrmca01.us.ra.verio.net 129.250. 28.142 ge-0-2-0.r00.scrmca01.us.bb.verio.net 129.250. 28.147 ge-1-2-0.a00.scrmca01.us.ra.verio.net 129.250. 28.158 ge-0-2-0.r01.scrmca01.us.bb.verio.net 129.250. 28.164 ge-1-0-0.a10.dllstx01.us.ra.verio.net 129.250. 28.165 ge-1-0-0.a11.dllstx01.us.ra.verio.net 129.250. 28.190 ge-6-0-0.r01.dllstx01.us.bb.verio.net 129.250. 28.200 ge-0-2-0.a00.snjsca03.us.ra.verio.net 129.250. 28.201 ge-0-2-0.a01.snjsca03.us.ra.verio.net 129.250. 28.221 ge-2-1-0.r04.snjsca03.us.bb.verio.net 129.250. 28.230 ge-1-1-0.a00.snjsca03.us.ra.verio.net 129.250. 28.231 ge-1-1-0.a01.snjsca03.us.ra.verio.net 129.250. 28.254 ge-2-1-0.r01.snjsca03.us.bb.verio.net 205.171. 31. 1 iah-core-01.inet.qwest.net 205.171. 31. 2 iah-core-02.inet.qwest.net 205.171. 31. 5 iah-core-01.inet.qwest.net 205.171. 31. 6 iah-core-03.inet.qwest.net 205.171. 31. 9 iah-core-01.inet.qwest.net 205.171. 31. 13 iah-core-01.inet.qwest.net 205.171. 31. 17 iah-core-01.inet.qwest.net 205.171. 31. 21 iah-core-01.inet.qwest.net 205.171. 31. 25 iah-core-02.inet.qwest.net 205.171. 31. 33 iah-core-01.inet.qwest.net 205.171. 31. 37 iah-core-01.inet.qwest.net 205.171. 31. 41 iah-core-02.inet.qwest.net 205.171. 31. 53 iah-core-02.inet.qwest.net 205.171. 31. 57 iah-core-03.inet.qwest.net 205.171. 31. 61 iah-core-02.inet.qwest.net 205.171. 31. 81 iah-core-03.inet.qwest.net 206. 79. 9. 2 globalcrossing-px.exodus.net 206. 79. 9.114 exds-wlhm.gblx.net 206. 79. 9.210 telefonica-px.exodus.net 208.184.232. 13 core1-atl4-oc48-2.atl2.above.net 208.184.232. 17 core2-atl4-oc48.atl2.above.net 208.184.232. 21 core1-atl4-oc48.atl2.above.net 208.184.232. 25 core2-core1-oc48.atl2.above.net 208.184.232. 45 core1-core2-oc192.sfo1.above.net 208.184.232. 46 core2-core1-oc192.sfo1.above.net 208.184.232. 54 sfo1-sjc2-oc48-2.sfo1.above.net 208.184.232. 57 ord2-sea1-oc48-2.ord2.above.net 208.184.232. 58 sea1-ord2-oc48-2.sea1.above.net 208.184.232. 97 bos2-dca2-oc48.bos2.above.net 208.184.232. 98 dca2-bos2-oc48.dca2.above.net 208.184.232.101 bos2-dca2-oc48-2.bos2.above.net 208.184.232.102 dca2-bos2-oc48-2.dca2.above.net 208.184.232.109 core1-dfw3-oc48.dfw2.above.net 208.184.232.110 core1-dfw2-oc48.dfw3.above.net 208.184.232.113 core2-dfw3-oc48.dfw2.above.net 208.184.232.114 core2-dfw2-oc48.dfw3.above.net 208.184.232.118 core1-dfw1-oc48.dfw2.above.net 208.184.232.126 sfo1-sjc2-oc48.sfo1.above.net 208.184.232.133 dca2-dfw2-oc48-2.dca2.above.net 208.184.232.134 dfw2-dca2-oc48-2.dfw2.above.net 208.184.232.145 ord2-bos2-oc48.ord2.above.net 208.184.232.146 bos2-ord2-oc48.bos2.above.net 208.184.232.149 lga1-ord2-oc48.lga1.above.net 208.184.232.150 ord2-lga1-oc48.ord2.above.net 208.184.232.157 atl2-lga2-oc48.atl2.above.net 208.184.232.158 lga2-atl2-oc48.lga2.above.net 208.184.232.165 atl2-lga2-oc48-2.atl2.above.net 208.184.232.166 lga2-atl2-oc48-2.lga2.above.net 208.184.232.177 sjc3-pao1-oc12.above.net 208.184.232.189 bos2-lga2-oc48.bos2.above.net 208.184.232.190 lga2-bos2-oc48.lga2.above.net 208.184.232.193 bos2-lga2-oc48-2.bos2.above.net 208.184.232.194 lga2-bos2-oc48-2.lga2.above.net 208.184.232.197 core2-lga2-oc192.lga1.above.net 208.184.232.198 core2-lga1-oc192.lga2.above.net 208.184.233. 46 ord2-sjc2-oc48.ord2.above.net 208.184.233. 50 core2-sjc2-oc48.sjc3.above.net 208.184.233. 61 iad1-lga1-oc192-2.iad1.above.net 208.184.233. 62 lga1-iad1-oc192-2.lga1.above.net 208.184.233. 65 iad1-lga1-oc192.iad1.above.net 208.184.233. 66 lga1-iad1-oc192.lga1.above.net 208.184.233. 81 core1-main1colo56-oc48.sea2.above.net 208.184.233. 85 core1-main2colo56-oc48.sea2.above.net 208.184.233. 89 core2-main1colo56-oc48.sea2.above.net 208.184.233. 93 core2-main2colo56-oc48.sea2.above.net 208.184.233.101 core1-core2-oc192.sea2.above.net 208.184.233.102 core2-core1-oc192.sea2.above.net 208.184.233.105 core2-sea2-oc192.sea1.above.net 208.184.233.106 core2-sea1-oc192-2.sea2.above.net 208.184.233.121 core1-core2-oc192.dca2.above.net 208.184.233.126 iad1-dca2-oc192.iad1.above.net 208.184.233.129 dca2-iad1-oc192.dca2.above.net 208.184.233.130 iad1-dca2-oc192.iad1.above.net 208.184.233.134 dca2-sjc2-oc48.dca2.above.net 208.184.233.150 ord2-dfw2-oc48.ord2.above.net 208.184.233.174 globalcenter-above.iad2.above.net 208.184.233.189 sea1-nrt3-stm1.sea1.above.net 208.184.233.190 nrt3-sea1-stm1.nrt3.above.net 208.184.233.193 sea1-nrt3-stm1-3.sea1.above.net 208.184.233.194 nrt3-sea1-stm1-3.nrt3.above.net 208.184.233.197 core1-main1-oc12.nrt3.above.net 208.184.233.201 core1-main2-oc12.nrt3.above.net 208.184.233.205 core2-main1-oc12.nrt3.above.net 208.184.233.209 core2-main2-oc12.nrt3.above.net 208.184.233.217 core2-core3-oc48.lga1.above.net 208.184.233.225 core2-v6core3-oc3.nrt3.above.net 208.184.233.237 core1-oc192-core2.bos2.above.net 208.184.233.238 core2-oc192-core1.bos2.above.net 208.185. 0. 25 core5-dlr-oc3.iad1.above.net 208.185. 0.113 core5-main1-oc48.iad1.above.net 208.185. 0.117 core5-main2-oc48.iad1.above.net 208.185. 0.121 core4-iad4-oc48.iad1.above.net 208.185. 0.133 core5-iad4-oc48.iad1.above.net 208.185. 0.138 core4-core1-oc48.iad1.above.net 208.185. 0.142 core4-core3-oc48.iad1.above.net 208.185. 0.146 core5-core1-oc48.iad1.above.net 208.185. 0.150 core5-core3-oc48.iad1.above.net 208.185. 0.153 core4-main1-oc48.iad1.above.net 208.185. 0.157 core4-main2-oc48.iad1.above.net 208.185. 0.165 core1-core2-oc48.lga3.above.net 208.185. 0.166 core2-core1-oc48.lga3.above.net 208.185. 0.169 core1-lga3-oc12.lga1.above.net 208.185. 0.170 core1-lga1-oc12.lga3.above.net 208.185. 0.173 core1-core3-oc3-2.lga3.above.net 208.185. 0.177 core2-core3-oc3.lga3.above.net 208.185. 0.189 core1-core3-oc48.ord2.above.net 208.185. 0.193 core2-core3-oc48.ord2.above.net 208.185. 0.197 core1-ord1-oc48.ord2.above.net 208.185. 0.202 core2-ord1-oc48.ord2.above.net 208.185. 0.221 core1-core3-oc48.atl2.above.net 208.185. 0.225 core2-core3-oc48.atl2.above.net 208.185. 0.229 dca2-atl2-oc48-2.dca2.above.net 208.185. 0.230 atl2-dca2-oc48-2.atl2.above.net 208.185. 0.233 core1-core2-oc192.lga1.above.net 208.185. 0.234 core2-core1-oc192.lga1.above.net 208.185. 0.237 core1-core3-oc48.lga1.above.net 208.185. 0.245 core1-lga2-oc192.lga1.above.net 208.185. 0.246 core1-lga1-oc192.lga2.above.net 208.185. 0.249 core1-dfw2-oc48.atl2.above.net 208.185. 0.250 core1-atl2-oc48.dfw2.above.net 208.185.156. 2 core2-lhr1-stm16.lhr3.above.net 208.185.156. 65 core3-core5-oc48.sjc2.above.net 208.185.156.121 core2-sea2-oc192-2.sea1.above.net 208.185.156.122 core1-sea1-oc192-2.sea2.above.net 208.185.156.157 ord2-lga1-oc48-2.ord2.above.net 208.185.156.158 lga1-ord2-oc48-2.lga1.above.net 208.185.156.189 core3-main1colo7-oc12.sjc2.above.net 208.185.156.193 core4-main2colo7-oc12.sjc2.above.net 208.185.175. 90 ord2-sea1-oc48.ord2.above.net 208.185.175. 93 core3-core4-oc3.sea1.above.net 208.185.175.114 earthlink-above.lax.above.net 208.185.175.145 core1-core2-oc192.sjc3.above.net 208.185.175.146 core2-core1-oc192.sjc3.above.net 208.185.175.149 core2-sjc4-oc192.sjc3.above.net 208.185.175.158 core1-sjc2-oc48.sjc3.above.net 208.185.175.178 core2-core1-oc48.sea1.above.net 208.185.175.182 core3-core1-oc48.sea1.above.net 208.185.175.189 core1-main1colo56-oc48.sjc3.above.net 208.185.175.193 core1-main2colo56-oc48.sjc3.above.net 208.185.175.197 core2-main1colo56-oc48.sjc3.above.net 208.185.175.201 core2-main2colo56-oc48.sjc3.above.net 216.200.127. 9 core4-iad5-oc48.iad1.above.net 216.200.127. 13 core5-iad5-oc48.iad1.above.net 216.200.127. 26 sjc2-iad1-oc48.sjc2.above.net 216.200.127. 29 core4-epe1-oc3.iad1.above.net 216.200.127. 33 core5-epe1-oc3.iad1.above.net 216.200.127. 45 core1-epe1-oc3.lga1.above.net 216.200.127. 49 core2-epe1-oc3.lga1.above.net 216.200.127. 61 iad1-lga1-oc48-2.iad1.above.net 216.200.127. 62 lga1-iad1-oc48-2.lga1.above.net 216.200.127. 65 lga1-sea1-oc48.lga1.above.net 216.200.127. 66 sea1-lga1-oc48.sea1.above.net 216.200.127. 69 lga1-lhr1-stm4-3.lga1.above.net 216.200.127.118 sea1-sjc2-oc48.sea1.above.net 216.200.127.145 core1-core2-oc192.lga2.above.net 216.200.127.146 core2-core1-oc192.lga2.above.net 216.200.127.149 core1-core3-oc48.lga2.above.net 216.200.127.153 core1-main1colo45-oc48.lga2.above.net 216.200.127.157 core1-main2colo45-oc48.lga2.above.net 216.200.127.161 core1-main1colo678-oc48.lga2.above.net 216.200.127.165 core1-main2colo678-oc48.lga2.above.net 216.200.127.169 core2-core3-oc48.lga2.above.net 216.200.127.173 core2-main1colo45-oc48.lga2.above.net 216.200.127.177 core2-main2colo45-oc48.lga2.above.net 216.200.127.181 core2-main1colo678-oc48.lga2.above.net 216.200.127.185 core2-main2colo678-oc48.lga2.above.net 216.200.127.189 core1-main1-oc48.lga1.above.net 216.200.127.194 core1-main2-oc48.lga1.above.net 216.200.127.197 core2-main1-oc48.lga1.above.net 216.200.127.201 core2-main2-oc48.lga1.above.net 216.200.127.205 dfw2-dca2-oc48.dfw2.above.net 216.200.127.206 dca2-dfw2-oc48.dca2.above.net 216.200.127.209 core1-core2-oc192.dfw2.above.net 216.200.127.210 core2-core1-oc192.dfw2.above.net 216.200.127.213 core1-core3-oc48.dfw2.above.net 216.200.127.217 core2-core3-oc48.dfw2.above.net 216.200.127.225 atl2-dfw2-oc48.atl2.above.net 216.200.127.226 dfw2-atl2-oc48.dfw2.above.net ______________________________________________________________________ Steve. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 80 SYN flood-like behavior NESTING, DAVID M (SBCSI) (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Matthew Leeds (Feb 13)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 13)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior John Elliott (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave (Feb 16)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Lewie Wolfgang (Feb 13)
- <Possible follow-ups>
- Re: Port 80 SYN flood-like behavior Thierry Zoller (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 14)
- Message not available
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)