Full Disclosure mailing list archives
RE: RE: Attack profiling tool?
From: "Gareth Blades" <list.fulldisclosure () webscreen-technology com>
Date: Fri, 11 Jul 2003 19:03:15 +0100
-----Original Message----- From: Ron DuFresne [mailto:dufresne () winternet com] Sent: 11 July 2003 17:37 To: Gareth Blades Cc: Fulldisclosure Subject: RE: [Full-disclosure] RE: Attack profiling tool? As to which tool is enacting the syn flood, it could be one of many, there are quite a few tools that can do syn flood attacks, which these appear to be. what is interesting also are the ICMP's that were displayed as well...
It is more of a connection flood as the client is responding to the SYN-ACK packets. The most well known connection flood tool is Naptha but this is not like Naptha as it closes the connections normally when it finishes. The ICMP messages are actually Port-Unreachable responses from our web servers but iptables is configured to block HTTPS on these as we dont use it. Because we also provide details on the TCP connection the ICMP response applies to it can make those lines quite confusing until you work out what it is trying to tell you :)
But, to point directly as some tool/toy that is being used, you'd perhaps need to gather a number of these, test and monitor while doing so to findout which might be the one you are observing. You might google some of the various attack signature sights on the net looking for similiar logged traffic to narrow the search some. Additionally, next time you see the attack in progess, you might probe the attacking system to narrow down the OS and again serve to limit your search to tools/toys that play on that particular OS...
Because there are only 3 connection attempts which are blocked over the course of a minute or so it is so minor we dont get notified. We only know at the end of the day when we get emailed a summary. I checked the first attack a while ago and it was an Apache server running some kind of enterprise website admin tool. Not something you should have wide open to the Internet! I expect the machine was compromised via the Apache ssl exploit. Regards Gareth _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Attack profiling tool? Gareth Blades (Jul 10)
- Re: Attack profiling tool? morning_wood (Jul 10)
- Re: Attack profiling tool? daniel uriah clemens (Jul 10)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- <Possible follow-ups>
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)
- RE: RE: Attack profiling tool? Ron DuFresne (Jul 11)
- RE: RE: Attack profiling tool? Gareth Blades (Jul 11)