Security Incidents mailing list archives
Re: Port 80 SYN flood-like behavior
From: "Matthew Leeds" <mleeds () theleeds net>
Date: Wed, 13 Feb 2002 17:11:42 -0800
We saw a similar event a few days ago. Turned out to be an attack against an IRC server company. Forged source address, and used our public web addresses as reflectors. Took the IRC server company off the air. Whomever was the source sprayed at least a class B with this stuff. ---Matthew *********** REPLY SEPARATOR *********** On 2/13/2002 at 3:54 PM Stuart Sheldon wrote:
Yes, we are seeing the same thing over here... It appears to be most effective when the attack is pointed at a subnet with a shared web server with many IP's bound to the same interface. This also could be an attempt to use these system's as a reflector to flood a particular IP address out on the web... Stu Sheldon "NESTING, DAVID M (SBCSI)" wrote:In the last few days I've been seeing what *looks* like a SYN floodattackon port 80 across all IP addresses on my network. However, if it's aflood,it's not a very strong one. Modest hardware is able to keep up with the incoming packets without a problem, but the steady flow of SYN packets is still a steady flow. (On a given system, the number of connections in a SYN_RECVD-ish state numbers 50-100.) The source IP addresses stayconstantfor a minute or two and then cease, sometimes as another IP addressstartssending its own stream of SYN packets, though occasionally more than one host will be sending traffic at a time. Source addresses are in avarietyof networks, but seem to be consistently dialup or similar typeconnections.It "feels" like an attempt at a denial-of-service attack, but why spreaditout over so many destination IP addresses (many of which have no Internet presence), and why would the flood be so weak as not to actually affect anything? Could this be an IDS allowing spoofed IP addresses through whilestrippingout a "dangerous" payload that might come along with the first ACKresponse?Or maybe a form of scan where the volume of response carries information they want? Has anyone seen something similar? David----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-- In a five year period we can get one superb programming language. Only we can't control when the five year period will begin. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port 80 SYN flood-like behavior NESTING, DAVID M (SBCSI) (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Matthew Leeds (Feb 13)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 13)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior John Elliott (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave (Feb 16)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 13)
- Re: Port 80 SYN flood-like behavior Stuart Sheldon (Feb 13)
- Re: Port 80 SYN flood-like behavior Lewie Wolfgang (Feb 13)
- <Possible follow-ups>
- Re: Port 80 SYN flood-like behavior Thierry Zoller (Feb 14)
- Re: Port 80 SYN flood-like behavior Dave Dittrich (Feb 14)
- Message not available
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)
- Re: Port 80 SYN flood-like behavior Steve Gibson (Feb 15)