Re: Port 80 SYN flood-like behavior

From: Stuart Sheldon (stuat_private)
Date: Wed Feb 13 2002 - 15:54:17 PST

Next message: Drew Smith: "New MSN Messenger Worm"

Previous message: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
In reply to: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
Next in thread: Matthew Leeds: "Re: Port 80 SYN flood-like behavior"
Next in thread: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
Reply: Matthew Leeds: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, we are seeing the same thing over here... It appears to be most
effective when the attack is pointed at a subnet with a shared web
server with many IP's bound to the same interface. This also could be an
attempt to use these system's as a reflector to flood a particular IP
address out on the web...

Stu Sheldon



"NESTING, DAVID M (SBCSI)" wrote:
> 
> In the last few days I've been seeing what *looks* like a SYN flood attack
> on port 80 across all IP addresses on my network.  However, if it's a flood,
> it's not a very strong one.  Modest hardware is able to keep up with the
> incoming packets without a problem, but the steady flow of SYN packets is
> still a steady flow.  (On a given system, the number of connections in a
> SYN_RECVD-ish state numbers 50-100.)  The source IP addresses stay constant
> for a minute or two and then cease, sometimes as another IP address starts
> sending its own stream of SYN packets, though occasionally more than one
> host will be sending traffic at a time.  Source addresses are in a variety
> of networks, but seem to be consistently dialup or similar type connections.
> 
> It "feels" like an attempt at a denial-of-service attack, but why spread it
> out over so many destination IP addresses (many of which have no Internet
> presence), and why would the flood be so weak as not to actually affect
> anything?
> 
> Could this be an IDS allowing spoofed IP addresses through while stripping
> out a "dangerous" payload that might come along with the first ACK response?
> Or maybe a form of scan where the volume of response carries information
> they want?  Has anyone seen something similar?
> 
> David
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
In a five year period we can get one superb programming language.  Only
we can't control when the five year period will begin.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Drew Smith: "New MSN Messenger Worm"
Previous message: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
In reply to: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
Next in thread: Matthew Leeds: "Re: Port 80 SYN flood-like behavior"
Next in thread: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
Reply: Matthew Leeds: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 16:51:08 PST