In the last few days I've been seeing what *looks* like a SYN flood attack on port 80 across all IP addresses on my network. However, if it's a flood, it's not a very strong one. Modest hardware is able to keep up with the incoming packets without a problem, but the steady flow of SYN packets is still a steady flow. (On a given system, the number of connections in a SYN_RECVD-ish state numbers 50-100.) The source IP addresses stay constant for a minute or two and then cease, sometimes as another IP address starts sending its own stream of SYN packets, though occasionally more than one host will be sending traffic at a time. Source addresses are in a variety of networks, but seem to be consistently dialup or similar type connections. It "feels" like an attempt at a denial-of-service attack, but why spread it out over so many destination IP addresses (many of which have no Internet presence), and why would the flood be so weak as not to actually affect anything? Could this be an IDS allowing spoofed IP addresses through while stripping out a "dangerous" payload that might come along with the first ACK response? Or maybe a form of scan where the volume of response carries information they want? Has anyone seen something similar? David ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 15:36:59 PST