Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Likely Answer: TCP connections to port 1024 - DDoS?

From: Richard Bejtlich <bejtlich () ALTAVISTA NET>
Date: Thu, 26 Oct 2000 00:05:18 -0000
Hello,

I believe I can explain the traffic Abe Getchell and 
Mike Lewinski reported on the securityfocus.com 
Incidents list and on the 25 Oct 00 SANS GIAC page. 

This traffic is most likely being generated by a Cisco 
Distributed Director load balancing manager.  It is 
conducting round trip time or latency testing.  I first 
publicized this signature almost one year ago exactly 
(28 Oct 99) in my "Interpreting Network Traffic" 
paper.  Here is a very brief sample from that paper:

06:01:16.999359 mayfield.ohio.net.44132 > 
name1.server.net.53:
 S 10399587:10399587(0) ack 10399586 win 4128 
<mss 556> (ttl 241, id 0)
06:01:17.498365 mayfield.ohio.net.44133 > 
name2.server.net.53:
 S 10399588:10399588(0) ack 10399587 win 4128 
<mss 556> (ttl 241, id 0)
06:01:18.528689 mayfield.ohio.net.44135 > 
name1.server.net.53:
 S 10399590:10399590(0) ack 10399589 win 4128 
<mss 556> (ttl 241, id 0)

06:01:14.967214 greenbelt.maryland.net.63604 > 
name1.server.net.53:
 S 34541003:34541003(0) ack 34541002 win 4128 
<mss 556> (ttl 249, id 0)
06:01:17.461642 greenbelt.maryland.net.63607 > 
name2.server.net.53:
 S 34541006:34541006(0) ack 34541005 win 4128 
<mss 556> (ttl 249, id 0)
06:01:18.503320 greenbelt.maryland.net.63609 > 
name1.server.net.53:
 S 34541008:34541008(0) ack 34541007 win 4128 
<mss 556> (ttl 249, id 0)

The key point here is the SYN and ACK numbers 
differ by one.  For example, the first packet has SYN 
10399587 and ACK 10399586.  This can never 
happen "in nature," as it represents two individual, 
separate machines selecting impossibly similar 
numbers to count bytes of data transmitted.

This signature can make one consider third party 
SYN flood effects, as noted by Dave Dittrich (who 
missed my SANS talk but knows the material!)  With 
third party effects, though, the SYN and ACK 
numbers will never be so similar, as they are 
independently selected (by flooder and floodee).

As a final point, I would posit that no one can conduct 
reconaissance for listening services with the ACK bit 
set.

For more information, please see the papers posted 
at http://bejtlich.net

Sincerely,

Richard Bejtlich

---


Hey all,
      Has anybody seen some kind of odd DDoS 

attack in which a number of

zombie machines try and open TCP connections to 

port 1024 on the target

machine?  > 
Thanks,
Abe
Previous By Date Next
Previous By Thread Next

Current thread: