('binary' encoding is not supported, stored as-is) Iptables on my firewall just dropped 2204 packets that were new TCP connections but had both the SYN and ACK flags set. What is interesting about this is what these packets have in common AND what they don’t have in common. All the packets came from 19 different hosts targeting my firewall. The TCP source port was high random number, the destination port was always 53 (domain). Having both the SYN and ACK flags set is a response to a TCP connection request (SYN only). But the TCP port numbers are reversed. My DNS only runs over UDP. Here is are same of a few packets: Jan 10 13:30:12 bender kernel: FireWall INPUT_New_not_syn IN=eth0 OUT= MAC=00:e0:29:68:64:e7:00:02:17:e5:08:38:08:00 SRC=203.194.166.182 DST=bender LEN=44 TOS=0x00 PREC=0x00 TTL=236 ID=0 PROTO=TCP SPT=15700 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0 Jan 10 13:30:12 bender kernel: FireWall INPUT_New_not_syn IN=eth0 OUT= MAC=00:e0:29:68:64:e7:00:02:17:e5:08:38:08:00 SRC=216.220.39.42 DST= bender LEN=44 TOS=0x00 PREC=0x00 TTL=235 ID=0 PROTO=TCP SPT=52475 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0 Jan 10 13:30:12 bender kernel: FireWall INPUT_New_not_syn IN=eth0 OUT= MAC=00:e0:29:68:64:e7:00:02:17:e5:08:38:08:00 SRC=194.205.125.26 DST= bender LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=0 PROTO=TCP SPT=57687 DPT=53 WINDOW=4128 RES=0x00 ACK SYN URGP=0 There are 19 unique source IP addresses. I went to ARIN to see who own the IP addresses. The addresses have been assign around the world (US, Hong Kong, Germany, Australia). NSLOOKUP could not find any entries for these addresses. I can ping each of the addresses (so I know there is a machine there). I did a quick port scan, and none of the machine had any open sockets. Here are the 19 ip addresses: 128.121.10.146 128.242.105.34 129.250.244.10 193.148.15.128 194.205.125.26 194.213.64.150 202.139.133.129 203.194.166.182 203.81.45.254 216.220.39.42 216.33.35.214 216.34.68.2 216.35.167.58 62.23.80.2 62.26.119.34 64.14.200.154 64.37.200.46 64.56.174.186 64.78.235.14 What is really weird is the timing of the packets. Over a 4 day period, the packets only arrived at 6 unique times lasting a duration of 11 to 12 seconds. It looks like a DDOS attack for 11 seconds. The time between attacks is not constant, so that would rule out a cron job. Here are the 6 event times (in Pacific Standard Time): Jan 8 19:10:35 Jan 8 19:40:15 Jan 8 20:38:45 Jan 8 21:16:15 Jan 9 20:20:29 Jan 10 13:30:00 I can’t find any connection between the 19 ip addresses, or the time, or even what the packets were trying to do. Any ideas? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 09:40:53 PST