Re: Port 7000 (Apple File Share) DoS/DDoS underway

[Christine Kronberg <Christine_Kronberg () genua de>]

On Wed, 22 Sep 2004, Daniel Hanson wrote:
> I will just interject quickly. The choice of flags would indicate to me
> that perhaps you are seeing back scatter from a DDoS attack. For anyone
> who hasn't encountered this situation:
>
> Social deviant with collection of 50 hosts under his control decides he
> doesn't like company X today. He turns the 50 hosts to attack a server on
> that network but tells the 50 hosts to spoof the source address. He picks
> your address as the source to be spoofed (or it's random). The Syn's go to
> the target machine, which responds with a Syn-Ack to your IP address. The
> presence of the RST's may or may not be part of the actual conversation,
> or another affect  of some sort, I don't believe that a RST also coming to
> you from that same connection is appropriate behaviour, but I don't have
> TCP/IP illustrated in front of me.
>
> YMMV, I just thought I would throw it in as a possible explanation.

  There is one thing I forgot to mention: Next to the flags SYN and ACK
  the reserved flag R0 and R1 had been set. I saw the following
  combinations: syn/ack/r1, syn/ack/r0 and sys/ack/r0/r1.
  I'm not sure about the way the two reserved flags a handled: are they
  thought for the transmission or for the end point? Meaning, are they
  sent back with the answer packets when the arriving syn packet had
  them set?

  Cheers,


                                                       Chris Kronberg.

--
GeNUA mbH