Full Disclosure mailing list archives

RE: RE: Attack profiling tool?

From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com>
Date: Fri, 11 Jul 2003 19:03:15 +0100

-----Original Message-----
From: Ron DuFresne [mailto:dufresne () winternet com]
Sent: 11 July 2003 17:37
To: Gareth Blades
Cc: Fulldisclosure
Subject: RE: [Full-disclosure] RE: Attack profiling tool?

As to which tool is enacting the syn flood, it could be one of many, there
are quite a few tools that can do syn flood attacks, which these appear to
be.  what is interesting also are the ICMP's that were displayed as
well...


It is more of a connection flood as the client is responding to the SYN-ACK
packets. The most well known connection flood tool is Naptha but this is not
like Naptha as it closes the connections normally when it finishes.

The ICMP messages are actually Port-Unreachable responses from our web
servers but iptables is configured to block HTTPS on these as we dont use
it. Because we also provide details on the TCP connection the ICMP response
applies to it can make those lines quite confusing until you work out what
it is trying to tell you :)

But, to point directly as some tool/toy that is being used, you'd perhaps
need to gather a number of these, test and monitor while doing so to
findout which might be the one you are observing.  You might google some
of the various attack signature sights on the net looking for similiar
logged traffic to narrow the search some.  Additionally, next time you see
the attack in progess, you might probe the attacking system to narrow down
the OS and again serve to limit your search to tools/toys that play on
that particular OS...


Because there are only 3 connection attempts which are blocked over the
course of a minute or so it is so minor we dont get notified. We only know
at the end of the day when we get emailed a summary. I checked the first
attack a while ago and it was an Apache server running some kind of
enterprise website admin tool. Not something you should have wide open to
the Internet! I expect the machine was compromised via the Apache ssl
exploit.

Regards
Gareth


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Attack profiling tool? Gareth Blades (Jul 10)
- Re: Attack profiling tool? morning_wood (Jul 10)
- Re: Attack profiling tool? daniel uriah clemens (Jul 10)
  - RE: Attack profiling tool? Gareth Blades (Jul 11)
- <Possible follow-ups>
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
  - RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
    - RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
  - RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)