Security Incidents mailing list archives
Re: Port 80 SYN flood-like behavior
From: Dave Dittrich <dittrich () cac washington edu>
Date: Thu, 14 Feb 2002 15:40:25 -0800 (PST)
What you are describing exactly fits the description of a "midpoint server" participating in a new form of Distributed Denial of Service attack.No, he said the Source IP changes over time and did/do not remain constant.
I read that to mean that the intermediary was seeing reflected SYN {ACK|RST} packets directed at *different* targets over time (most attacks only last a few minutes at a time). In Steve's case, the attackers directed the attack only at grc.com for an extended period of time. Two different attackers, with two different MOs.
If it would have been the same "attack" then yours the source IP should remain the same, constant, i.e in your case grc.com IP (or whatever IP you have), and by no means have the source of a dailup, except someone is using "decoys" to hide the real "source", or in your view "target".
Some attacks are directed at dialups, as well as end hosts. They usually are trying to take out an entire IRC channel's worth of clients, as well as the IRC servers, to do a "takeover".
Briefly, the idea is that a spoofed source IP SYN flood is gently spread across a LARGE number of TCP servers. Each of the many servers replies with SYN/ACK packets ... aimed at the attack's intended target.Or RST for instance if the port is closed. Read : Spoofed Packet
Right. Spoofing is what allows the reflection to work. The reflection is blindly done against any of a number of services believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a router, as in Steve's case). Some routers don't have all services running, so SYN RSTs are sent. Others do, so you only see SYN ACKs sent out. -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 80 SYN flood-like behavior NESTING, DAVID M (SBCSI) (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Matthew Leeds (Feb 13)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 13)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior John Elliott (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave (Feb 16)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Lewie Wolfgang (Feb 13)
- <Possible follow-ups>
- Re: Port 80 SYN flood-like behavior Thierry Zoller (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 14)
- Message not available
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)