Yes, we are seeing the same thing over here... It appears to be most effective when the attack is pointed at a subnet with a shared web server with many IP's bound to the same interface. This also could be an attempt to use these system's as a reflector to flood a particular IP address out on the web... Stu Sheldon "NESTING, DAVID M (SBCSI)" wrote: > > In the last few days I've been seeing what *looks* like a SYN flood attack > on port 80 across all IP addresses on my network. However, if it's a flood, > it's not a very strong one. Modest hardware is able to keep up with the > incoming packets without a problem, but the steady flow of SYN packets is > still a steady flow. (On a given system, the number of connections in a > SYN_RECVD-ish state numbers 50-100.) The source IP addresses stay constant > for a minute or two and then cease, sometimes as another IP address starts > sending its own stream of SYN packets, though occasionally more than one > host will be sending traffic at a time. Source addresses are in a variety > of networks, but seem to be consistently dialup or similar type connections. > > It "feels" like an attempt at a denial-of-service attack, but why spread it > out over so many destination IP addresses (many of which have no Internet > presence), and why would the flood be so weak as not to actually affect > anything? > > Could this be an IDS allowing spoofed IP addresses through while stripping > out a "dangerous" payload that might come along with the first ACK response? > Or maybe a form of scan where the volume of response carries information > they want? Has anyone seen something similar? > > David > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- In a five year period we can get one superb programming language. Only we can't control when the five year period will begin. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 16:51:08 PST