Security Incidents mailing list archives

Re: SYN Flood attack with sequential destination ports?

From: Jason Giglio <jgiglio () netmar com>
Date: Thu, 8 Nov 2001 13:38:45 -0500

On Thu, 08 Nov 2001 12:55:04 -0500
Joshua Wright <Joshua.Wright () jwu edu> wrote:

I am working with some folks at a partner network who are seeing a SYN flood
attack to a single destination address.

The interesting characteristic is the destination port is sequential - each
phase of attack starting at 3039 and ending arouind 34431.

I checked the source for synful.c, syn4k.c and a few others - all seem to
use a random or fixed destination port.  Any ideas on what tool this could
be?


Synful.c... syn4k.c... Those are C source files right?

Two lines of code change that random or fixed port into a sequential port attack.  I don't think For loops are over the 
heads of most script kiddies.

Thanks.

-Joshua Wright, GCIH
Joshua.Wright () jwu edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-- 
Jason Giglio
Information Technology Coordinator, Smyth Companies, Bedford VA

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SYN Flood attack with sequential destination ports? Joshua Wright (Nov 08)
- Re: SYN Flood attack with sequential destination ports? Jason Giglio (Nov 08)
- Re: SYN Flood attack with sequential destination ports? Joerg Over (Nov 09)
- <Possible follow-ups>
- RE: SYN Flood attack with sequential destination ports? Joshua Wright (Nov 09)