Re: Port 80 SYN flood-like behavior

[Lewie Wolfgang <wolfgang () nosc mil>]

Hi David,

Yes, we see them here too.  It's all very strange.  

We started noticing them in early February, but a check 
of our raw header logs shows some activity as early as
January 15.  (That's the oldest log left)

We've noticed that they seem to be coming from a limited
range of IP's, maybe about a dozen.  Many of them seem
to be coming from universities.  I've notified several
of them and received feedback that they would block the
IP's and investigate further. 

We also see the sequence numbers being identical for a
large number of packets.   We saw traffic from one
IP in Korea that sent over 1,000,000 packets in a
one-hour period, but most are coming in a a rate of
10,000-30,000 per hour.  

We also notice one incident where the source and destination
ports were both #23.  

We've called it the "Stuttering SYN" attack.  Your observation
is the first that I've seen, and I've been looking for about 
a week now.  It's gratifying that others are seeing it too.

Regards,
Lew Wolfgang
SPAWARSYSCEN San Diego

On Wed, 13 Feb 2002, NESTING, DAVID M (SBCSI) wrote:

> In the last few days I've been seeing what *looks* like a SYN flood attack
> on port 80 across all IP addresses on my network.  However, if it's a flood,
> it's not a very strong one.  Modest hardware is able to keep up with the
> incoming packets without a problem, but the steady flow of SYN packets is
> still a steady flow.  (On a given system, the number of connections in a
> SYN_RECVD-ish state numbers 50-100.)  The source IP addresses stay constant
> for a minute or two and then cease, sometimes as another IP address starts
> sending its own stream of SYN packets, though occasionally more than one
> host will be sending traffic at a time.  Source addresses are in a variety
> of networks, but seem to be consistently dialup or similar type connections.
>
> It "feels" like an attempt at a denial-of-service attack, but why spread it
> out over so many destination IP addresses (many of which have no Internet
> presence), and why would the flood be so weak as not to actually affect
> anything?
>
> Could this be an IDS allowing spoofed IP addresses through while stripping
> out a "dangerous" payload that might come along with the first ACK response?
> Or maybe a form of scan where the volume of response carries information
> they want?  Has anyone seen something similar?
>
> David
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com