Security Incidents mailing list archives
Likely Answer: TCP connections to port 1024 - DDoS?
From: Richard Bejtlich <bejtlich () ALTAVISTA NET>
Date: Thu, 26 Oct 2000 00:05:18 -0000
Hello, I believe I can explain the traffic Abe Getchell and Mike Lewinski reported on the securityfocus.com Incidents list and on the 25 Oct 00 SANS GIAC page. This traffic is most likely being generated by a Cisco Distributed Director load balancing manager. It is conducting round trip time or latency testing. I first publicized this signature almost one year ago exactly (28 Oct 99) in my "Interpreting Network Traffic" paper. Here is a very brief sample from that paper: 06:01:16.999359 mayfield.ohio.net.44132 > name1.server.net.53: S 10399587:10399587(0) ack 10399586 win 4128 <mss 556> (ttl 241, id 0) 06:01:17.498365 mayfield.ohio.net.44133 > name2.server.net.53: S 10399588:10399588(0) ack 10399587 win 4128 <mss 556> (ttl 241, id 0) 06:01:18.528689 mayfield.ohio.net.44135 > name1.server.net.53: S 10399590:10399590(0) ack 10399589 win 4128 <mss 556> (ttl 241, id 0) 06:01:14.967214 greenbelt.maryland.net.63604 > name1.server.net.53: S 34541003:34541003(0) ack 34541002 win 4128 <mss 556> (ttl 249, id 0) 06:01:17.461642 greenbelt.maryland.net.63607 > name2.server.net.53: S 34541006:34541006(0) ack 34541005 win 4128 <mss 556> (ttl 249, id 0) 06:01:18.503320 greenbelt.maryland.net.63609 > name1.server.net.53: S 34541008:34541008(0) ack 34541007 win 4128 <mss 556> (ttl 249, id 0) The key point here is the SYN and ACK numbers differ by one. For example, the first packet has SYN 10399587 and ACK 10399586. This can never happen "in nature," as it represents two individual, separate machines selecting impossibly similar numbers to count bytes of data transmitted. This signature can make one consider third party SYN flood effects, as noted by Dave Dittrich (who missed my SANS talk but knows the material!) With third party effects, though, the SYN and ACK numbers will never be so similar, as they are independently selected (by flooder and floodee). As a final point, I would posit that no one can conduct reconaissance for listening services with the ACK bit set. For more information, please see the papers posted at http://bejtlich.net Sincerely, Richard Bejtlich ---
Hey all, Has anybody seen some kind of odd DDoS
attack in which a number of
zombie machines try and open TCP connections to
port 1024 on the target
machine? > Thanks, Abe
Current thread:
- Likely Answer: TCP connections to port 1024 - DDoS? Richard Bejtlich (Oct 27)