Security Incidents mailing list archives

Re: Port 7000 (Apple File Share) DoS/DDoS underway

From: Daniel Hanson <dhanson () securityfocus com>
Date: Wed, 22 Sep 2004 09:54:29 -0600 (MDT)

I will just interject quickly. The choice of flags would indicate to me
that perhaps you are seeing back scatter from a DDoS attack. For anyone
who hasn't encountered this situation:

Social deviant with collection of 50 hosts under his control decides he
doesn't like company X today. He turns the 50 hosts to attack a server on
that network but tells the 50 hosts to spoof the source address. He picks
your address as the source to be spoofed (or it's random). The Syn's go to
the target machine, which responds with a Syn-Ack to your IP address. The
presence of the RST's may or may not be part of the actual conversation,
or another affect  of some sort, I don't believe that a RST also coming to
you from that same connection is appropriate behaviour, but I don't have
TCP/IP illustrated in front of me.

YMMV, I just thought I would throw it in as a possible explanation.

D

On Wed, 22 Sep 2004, Christine Kronberg wrote:

On Mon, 20 Sep 2004, David Gillett wrote:

 A handful of machines, nowhere near me (network prefixes
218, 211, and 61) seem to be sending a mix of SYN-ACK and
RST packets, all with a source port of 7000, to assorted
(random) addresses in my public Class B range.


   I have seen the very same for a longer period of time. But
   the "scanning" was by not alway random. Sometimes a customers
   entire /16 network was scanned, sometimes only two hosts
   were the targets.

 I expect this means that someone is spoofing random source
addresses -- many of them in my range, but who knows how many
in others... -- and ports and SYN-flooding those half-dozen
machines.


   Out of curiosity I scanned the sending host with nmap (from
   my own computer) just to find (after an endless time) nearly
   any port open. I remember have read something about but forgot
   about the details.
   My explanation was/is, that the host sending these packets
   (was indeed in most cases the same IP) was owned and "opened"
   for scanning by whoever wanted to do that.
   If someone can come up with a better explanation I'd love
   to hear it. :-)

   Cheers,


                                              Chris Kronberg.


--
GeNUA mbH

Current thread:

Yahoo Account hacking Freilich, Robert (Sep 20)
- Port 7000 (Apple File Share) DoS/DDoS underway David Gillett (Sep 21)
  - Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 22)
    - Re: Port 7000 (Apple File Share) DoS/DDoS underway Daniel Hanson (Sep 22)
    - Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 23)
  - Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
    - Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
    - DoS/DDoS on port 1863(MSN protocol) Diego Sebastián González (Sep 26)
    - RE: DoS/DDoS on port 1863(MSN protocol) easternerd (Sep 27)
    - Re: DoS/DDoS on port 1863(MSN protocol) Kevin Reardon (Sep 27)
    - Re: DoS/DDoS on port 1863(MSN protocol) Tillman Hodgson (Sep 29)
    - data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol)) Martin Mačok (Sep 29)
    - Re: DoS/DDoS on port 1863(MSN protocol) terry white (Sep 27)
    - Re: DoS/DDoS on port 1863(MSN protocol) Martin Mačok (Sep 28)

(Thread continues...)