RE: SYN Flood attack with sequential destination ports?

From: Joshua Wright (Joshua.Wrightat_private)
Date: Fri Nov 09 2001 - 12:28:15 PST

Next message: Toby Miller: "Passive OS Fingerprinting"

Previous message: H C: "Re: Need Incident Handling Process Framework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My mistake, I should have mentioned that the SYN packets recurred every 45
seconds or so for approximately 12 hours before we got an upstream provider
to null route the destination address, and that the source address was a
random address (poorly randomized as many of the packets were from class D
and E blocks, 127.x.x.x addresses and 0's in the network number).

"nmap -sS -p 3039-34431 -T insane destination" - would probably have had the
same effectiveness, but would have permitted us to find the source a little
easier.

Thanks for all the comments and suggestions.

-Joshua Wright, GCIH
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wrightat_private 

pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73



-----Original Message-----
From: Joerg Over [mailto:overat_private]
Sent: Thursday, November 08, 2001 2:09 PM
To: incidentsat_private
Subject: Re: SYN Flood attack with sequential destination ports?


Hi!

At 12:55 08.11.01 -0500 you wrote:

->The interesting characteristic is the destination port is sequential -
each
->phase of attack starting at 3039 and ending arouind 34431.
--8<------------------------------------------------------------------------

Ever thought it could be a syn scan instead of a syn flood?
:)

Greetings, jo
+-------------------------------------------------------------------+
|  __ __ __ __ _ _          It ain't over 'till it's Joerg Over...  |
| / _ \ V / -_) '_/                                                 |
| \___/\_/\___|_|                                                   |
+-------------------------------------------------------------------+


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Toby Miller: "Passive OS Fingerprinting"
Previous message: H C: "Re: Need Incident Handling Process Framework"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 13:23:06 PST