Strange DoS from many (MANY) hosts

[Yusuf <yusufad () myrealbox com.DELME>]

Hi there.

For several hours I have been receiving SYN packets from *lots* of hosts.

It doesn't appears to be a *personal* attack, but most probably some new
virii/vermii, because:

The hit frequency is not that high: my latencies have gone to the sky,
but still inside the atmosphere ;-).

I only get a few requests from each host, and there are thousands of
them, from all around the world.  Most of the hosts (the ones with
reverse DNS, anyway) appear to be over DSL/Cable lines, like:

adsl-65-67-113-211.dsl.rcsntx.swbell.net
ben215.neoplus.adsl.tpnet.pl
wbar18.dal1-4.29.164.140.dal1.dsl-verizon.net
S010600402b65ad2b.vc.shawcable.net
DSL01.212.114.236.176.NEFkom.net
...

The hits appear to probe several ports, including 135, 445, 4662, 21338
and 31841.  Two of them in /etc/services:

loc-srv         135/tcp         epmap           # Location Service
microsoft-ds    445/tcp                         # Microsoft Naked CIFS

¿Anyone experiencing it, or with a idea of what is this?

As I said, so far the only complication is with online games ;-), but 
nonetheless, the propagation of the "thing" is most impressive.

¿Is it the Apocalypse Now???? (Redux ;-) )

As you'll see next, my firewall already refuses connections to those 
ports (with the standard DROP at the end of the iptables chain), but 
even a few hits a second get my latency really high.  Is there a better 
way to deal with this packets?

Sniffer log extract follows:

> Source                Destination           Protocol Info
> 1.140.142.132         THIS.IS.MY.HOST         TCP      2391 > microsoft-ds [SYN] Seq=0 Ack=0 Win=8760 Len=0 MSS=1460
> THIS.IS.MY.HOST         61.140.142.132        ICMP     Destination unreachable
> 80.38.27.138          THIS.IS.MY.HOST         TCP      4811 > 21338 [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
> 61.145.99.67          THIS.IS.MY.HOST         TCP      1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440
> THIS.IS.MY.HOST         61.145.99.67          ICMP     Destination unreachable
> 201.135.98.127        THIS.IS.MY.HOST         TCP      1983 > loc-srv [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440
> THIS.IS.MY.HOST         201.135.98.127        ICMP     Destination unreachable
> 3com_5a:43:3f         Cisco_f7:60:38        PPP LCP  Echo RequestCisco_f7:60:38        3com_5a:43:3f         PPP LCP  
> Echo Reply
> 212.114.236.176       THIS.IS.MY.HOST         TCP      29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 
> TSV=53902057 TSER=0 WS=0
> 212.114.236.176       THIS.IS.MY.HOST         TCP      29697 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 
> TSV=53902057 TSER=0 WS=0
> 68.148.140.208        THIS.IS.MY.HOST         TCP      4053 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
> THIS.IS.MY.HOST         68.148.140.208        ICMP     Destination unreachable
> 61.145.99.67          THIS.IS.MY.HOST         TCP      1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440
> THIS.IS.MY.HOST         61.145.99.67          ICMP     Destination unreachable
> 212.114.236.176       THIS.IS.MY.HOST         TCP      29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 
> TSV=53902357 TSER=0 WS=0



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------