Tracking down spoofing SYN flood attackers?

["Stewart, John" <johns () artesyncp com>]

For what we believe has been a few days (we finally tracked it all down this morning, have been having weirdness for a 
while due to our firewall being flooded with TCP connects), someone has been sending tons of port 23 packets to one of 
our servers in Scotland, with a source address of wrist.org (216.111.239.187). 

We're trying to have the ISP block the packets upstream, and I also got in contact with a wrist.org admin via their DNS 
contact info.

The attack is being spoofed; it's not actually coming from wrist.org. They don't even have a machine at this address 
which is capable of sending out telnet (TCP/23) packets. He said I was one of dozens of people who have called.

Someone doesn't like wrist.org.

As for us, its not a huge deal. We'll likely be able to have the ISP cut off the traffic before it hits our firewall. 
But this poor guy is getting hammered, and I don't know how he's ever going to find out who's doing it, or make it stop.

My question is how would one go about tracking this down and stopping it?

I'll append a couple of packets grabbed using the Solaris "snoop -v" command.

johnS




ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 353 arrived at 19:40:40.39
ETHER:  Packet size = 60 bytes
ETHER:  Destination = 8:0:20:a2:63:b4, Sun
ETHER:  Source      = 0:0:c5:78:5:bc,
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x08
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 1... = high throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 40 bytes
IP:   Identification = 47548
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 237 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = 6fd9
IP:   Source address = 216.111.239.187, wrist.org
IP:   Destination address = 193.195.26.67, 193.195.26.67
IP:   No options
IP:
TCP:  ----- TCP Header -----
TCP:
TCP:  Source port = 56149
TCP:  Destination port = 23 (TELNET)
TCP:  Sequence number = 1659174912
TCP:  Acknowledgement number = 0
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x02
TCP:        ..0. .... = No urgent pointer
TCP:        ...0 .... = No acknowledgement
TCP:        .... 0... = No push
TCP:        .... .0.. = No reset
TCP:        .... ..1. = Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 65535
TCP:  Checksum = 0xcd5e
TCP:  Urgent pointer = 0
TCP:  No options
TCP:
TELNET:  ----- TELNET:   -----
TELNET:
TELNET:  ""
TELNET:


ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 354 arrived at 19:40:40.39
ETHER:  Packet size = 58 bytes
ETHER:  Destination = 0:0:c5:78:5:bc,
ETHER:  Source      = 8:0:20:a2:63:b4, Sun
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 44 bytes
IP:   Identification = 29652
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = 63c5
IP:   Source address = 193.195.26.67, 193.195.26.67
IP:   Destination address = 216.111.239.187, wrist.org
IP:   No options
IP:
TCP:  ----- TCP Header -----
TCP:
TCP:  Source port = 23
TCP:  Destination port = 56149
TCP:  Sequence number = 3804681469
TCP:  Acknowledgement number = 1659174913
TCP:  Data offset = 24 bytes
TCP:  Flags = 0x12
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 0... = No push
TCP:        .... .0.. = No reset
TCP:        .... ..1. = Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 9112
TCP:  Checksum = 0xddd0
TCP:  Urgent pointer = 0
TCP:  Options: (4 bytes)
TCP:    - Maximum segment size = 536 bytes
TCP:
TELNET:  ----- TELNET:   -----
TELNET:
TELNET:  ""
TELNET:
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards