OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve Gibson (bugtraqgrc.com)
Date: Wed Feb 13 2002 - 17:54:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    David,

    >In the last few days I've been seeing what *looks* like a SYN flood attack
    >on port 80 across all IP addresses on my network. However, if it's a
    >flood, it's not a very strong one. Modest hardware is able to keep up
    >with the incoming packets without a problem, but the steady flow of SYN
    >packets is still a steady flow. (On a given system, the number of
    >connections in a SYN_RECVD-ish state numbers 50-100.) The source IP
    >addresses stay constant for a minute or two and then cease, sometimes as
    >another IP address starts sending its own stream of SYN packets, though
    >occasionally more than one host will be sending traffic at a time. Source
    >addresses are in a variety of networks, but seem to be consistently dialup
    >or similar type connections.
    >
    >It "feels" like an attempt at a denial-of-service attack, but why spread
    >it out over so many destination IP addresses (many of which have no
    >Internet presence), and why would the flood be so weak as not to actually
    >affect anything?
    >
    >Could this be an IDS allowing spoofed IP addresses through while stripping
    >out a "dangerous" payload that might come along with the first ACK
    >response? Or maybe a form of scan where the volume of response carries
    >information they want? Has anyone seen something similar?

    What you are describing exactly fits the description of a "midpoint server"
    participating in a new form of Distributed Denial of Service attack. We
    were on the receiving end of such an attack a little over one month ago.

    Briefly, the idea is that a spoofed source IP SYN flood is gently spread
    across a LARGE number of TCP servers. Each of the many servers replies with
    SYN/ACK packets ... aimed at the attack's intended target. Since each
    unacknowledged SYN/ACK will be repeated (generally three times) this
    results in a factor-four bandwidth multiplication.

     From the viewpoint of the attack victim, a large number of well-connected
    Internet servers appears to be flooding them with SYN/ACK packets.

    In the case of the attack aimed at us, 202 individual Internet routers were
    flooding us with SYN/ACK packets from the BGP port.

    I am in the process of writing up a detailed report with a detailed
    analysis of the packet capture, but you can see what I have so far at:

    http://grc.com/dos/packetbounce.htm

    regards,

    ______________________________________________________________________
    Steve.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com