OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Joshua Wright (Joshua.Wrightjwu.edu)
Date: Fri Nov 09 2001 - 14:28:15 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    My mistake, I should have mentioned that the SYN packets recurred every 45
    seconds or so for approximately 12 hours before we got an upstream provider
    to null route the destination address, and that the source address was a
    random address (poorly randomized as many of the packets were from class D
    and E blocks, 127.x.x.x addresses and 0's in the network number).

    "nmap -sS -p 3039-34431 -T insane destination" - would probably have had the
    same effectiveness, but would have permitted us to find the source a little
    easier.

    Thanks for all the comments and suggestions.

    -Joshua Wright, GCIH
    Team Leader, Networks and Systems
    Johnson & Wales University
    Joshua.Wrightjwu.edu

    pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
    fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

    -----Original Message-----
    From: Joerg Over [mailto:overdexia.de]
    Sent: Thursday, November 08, 2001 2:09 PM
    To: incidentssecurityfocus.com
    Subject: Re: SYN Flood attack with sequential destination ports?

    Hi!

    At 12:55 08.11.01 -0500 you wrote:

    ->The interesting characteristic is the destination port is sequential -
    each
    ->phase of attack starting at 3039 and ending arouind 34431.
    --8<------------------------------------------------------------------------

    Ever thought it could be a syn scan instead of a syn flood?
    :)

    Greetings, jo
    +-------------------------------------------------------------------+
    | __ __ __ __ _ _ It ain't over 'till it's Joerg Over... |
    | / _ \ V / -_) '_/ |
    | \___/\_/\___|_| |
    +-------------------------------------------------------------------+

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com