Firewall Wizards mailing list archives
Re: Tracking down spoofing SYN flood attackers?
From: David Pick <d.m.pick () qmul ac uk>
Date: Sat, 18 Jan 2003 10:09:32 +0000
For what we believe has been a few days (we finally tracked it all down this morning, have been having weirdness for a while due to our firewall being flooded with TCP connects), someone has been sending tons of port 23 packets to one of our servers in Scotland, with a source address of wrist.org (216.111.239.187). We're trying to have the ISP block the packets upstream, and I also got in contact with a wrist.org admin via their DNS contact info. The attack is being spoofed; it's not actually coming from wrist.org. They don't even have a machine at this address which is capable of sending out telnet (TCP/23) packets. He said I was one of dozens of people who have called. Someone doesn't like wrist.org. As for us, its not a huge deal. We'll likely be able to have the ISP cut off the traffic before it hits our firewall. But this poor guy is getting hammered, and I don't know how he's ever going to find out who's doing it, or make it stop. My question is how would one go about tracking this down and stopping it?
The only way *I* know is to track the offending traffic backwards from router to router. This is tedious work and can (usually) only be done by the manager(s) of the routers involved. There is the problem of getting the network managers in each ISP and transit provider to do the work *and release the results*. It can be easier if the requests come from a Law Enforcement Agency but someone has to get one of *them* take the issue seriously enough to act; and then you get cross-border problems (more than when ISP is talking to ISP). A concerted action/complaint from *all* the people affected (wrist.org *plus* echo of the attacked sites who have contacted wrist.org) may stand a better chance of getting action either from a LEA or directly from the ISPs. This is a frequent problem; each incident is rarely big enough on its own to provoke serious effort but the cumulative effect is non-trivial. Many "Mom-and-Pop" "ISP"s don't have the expertise to do the necessary work. However, the work could be considerably reduced if the major high-level switching centres were able to do "spot checks" and identify traffic that was coming from the "wrong" *reverse* path according to the BGP AS data that they have to have as part of the Internet backbone. (Even better if they would just block it anyway; even better if edge IDPs didn't allw it onto the Internet in the first place!) I know that traffic can be routed asymmetrically, and that it is necessary to allow for rerouting in failure modes, but I'm sure it *could* be done if there was enough will to tackle the problem. After all, RPF is an essential part of multicast handling... -- David Pick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Tracking down spoofing SYN flood attackers? Stewart, John (Jan 17)
- Re: Tracking down spoofing SYN flood attackers? David Pick (Jan 18)
- Re: Tracking down spoofing SYN flood attackers? Mikael Olsson (Jan 18)