RE: TCP Syn Flooding

["Michael Parker" <mparker () rim net>]

Hi Anomoly,

No apologies needed as you are indeed *mostly* correct.  The source of a syn flood IS *usually* spoofed to prevent the 
victim system from returning a response (providing a syn/ack) but mostly to prevent the attacker from being identified. 
 Since the object of a syn flood is to fill the connection buffer to the point that it can't respond (a brute force syn 
flood), spoofing isn't always absolutley necessary.  In fact if I remember correctly, DDOS attacks that use syn flood 
don't neccessarily spoof anyone's IP, they just use systems that have been compromised to initiate the syn flood 
(zombies).  It's also not really any part of a request for a web page per se, but a request to initiate a connection 
with another system.

Regards,
Michael


-----Original Message-----
From: Anomaly [mailto:computerhelp () host sk]
Sent: February 18, 2003 12:00 AM
To: Michael Parker; Tim Laureska; security-basics
Subject: RE: TCP Syn Flooding


Sorry if this has been mentioned before, but my email server has been 
bouncing messages back a lot lately so I have been missing quite a bit from 
the mailing list.

Tracing that IP address is useless if it was an actual SYN flood attempt.  
SYN flooding is when someone spoofs a TCP/IP packet and forms it to request a 
page from a webserver.  When your server tries to complete the handshake it 
sends a packet back to the spoofed address and obviously the spoofed 
server/computer address isn't going to respond correctly or even at all since 
it didn't initiate the connection to begin with.  Basically a person/hacker 
can fill up your server connection with false requests thus denying legit 
users from your content.

More than likely though it was a byproduct of something else since as you 
said it was the same address.  Someone trying to attack your server would use 
mulitiple addresses causing a greater effect.  It's quite easy to do since 
you're spoofing the packet to begin with.  

I highly doubt someone is purposely attacking you.

Someone please correct me if I stated anything wrong.  

-Anomaly

---------- Original Message -----------
From: "Michael Parker" <mparker () rim net>
To: "Tim Laureska" <hometeam () goeaston net>, "security-basics" <security-
basics () securityfocus com>
Sent: Mon, 17 Feb 2003 12:38:17 -0500
Subject: RE: TCP Syn Flooding

> Sounds like someone was trying to syn flood your system and your firewall 
did what it was suppposed to...blocked the connection to the offending 
system.  
> A WHOIS of the source IP turned up these results:
>
> Cable & Wireless CW-03BLK (NET-205-138-0-0-1) 
>                                   205.138.0.0 - 205.140.255.255
> Double Click, Inc. CW-205-138-3-A (NET-205-138-3-0-1) 
>                                   205.138.3.0 - 205.138.3.255
>
> # ARIN WHOIS database, last updated 2003-02-16 20:00
>
> I also did a tracert to that IP
>
> Hop  IP Address       Host Name                              Sent   
Recv      RTT   Av RTT  Min RTT  Max RTT   % Loss
> <SNIP>
> 8    152.63.132.14    130.atm3-0.xr1.tor2.alter.net             1      1    
10 ms    10 ms    10 ms    10 ms   0.000%
> 9    152.63.2.109     0.so-0-0-0.tl1.tor2.alter.net             1      1    
10 ms    10 ms    10 ms    10 ms   0.000%
> 10   152.63.2.106     0.so-4-1-0.TL1.DCA6.ALTER.NET             1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 11   152.63.36.37     0.so-6-0-0.CL1.DCA1.ALTER.NET             1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 12   152.63.33.170    295.at-6-0-0.XR1.TCO1.ALTER.NET           1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 13   152.63.39.93     193.ATM6-0.GW5.TCO1.ALTER.NET             1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 14   157.130.79.194   doubleclick-gw.customer.alter.net         1      1    
40 ms    40 ms    40 ms    40 ms   0.000%
> 15   205.138.3.201    [Unknown]                                 1      1    
40 ms    40 ms    40 ms    40 ms   0.000%
> Here is a link that provides information on a SYN attack - 
http://www.cert.org/advisories/CA-1996-21.html
> Hope this helps.
> Cheers,
> Michael
>
> -----Original Message-----
> From: Tim Laureska [mailto:hometeam () goeaston net]
> Sent: February 15, 2003 9:21 AM
> To: security-basics
> Subject: TCP Syn Flooding
>
> OK. I just installed a Netgear firewall box between a cable modem and a
> NT 4.0 server on a small network.. and set it up to email me attempts at
> security breaches. I am brand new to these devices and a relative
> neophyte to internet/internal network security.  So the question is
> this. 
>
> I received this message a few times yesterday after I installed the box:
>
> Fri, 02/14/2003 20:35:01 - TCP connection dropped -
> Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
> 'TCP:Syn Flooding' End of Log ----------
>
> What should I make of this?
>  
> T.
------- End of Original Message -------