David, >In the last few days I've been seeing what *looks* like a SYN flood attack >on port 80 across all IP addresses on my network. However, if it's a >flood, it's not a very strong one. Modest hardware is able to keep up >with the incoming packets without a problem, but the steady flow of SYN >packets is still a steady flow. (On a given system, the number of >connections in a SYN_RECVD-ish state numbers 50-100.) The source IP >addresses stay constant for a minute or two and then cease, sometimes as >another IP address starts sending its own stream of SYN packets, though >occasionally more than one host will be sending traffic at a time. Source >addresses are in a variety of networks, but seem to be consistently dialup >or similar type connections. > >It "feels" like an attempt at a denial-of-service attack, but why spread >it out over so many destination IP addresses (many of which have no >Internet presence), and why would the flood be so weak as not to actually >affect anything? > >Could this be an IDS allowing spoofed IP addresses through while stripping >out a "dangerous" payload that might come along with the first ACK >response? Or maybe a form of scan where the volume of response carries >information they want? Has anyone seen something similar? What you are describing exactly fits the description of a "midpoint server" participating in a new form of Distributed Denial of Service attack. We were on the receiving end of such an attack a little over one month ago. Briefly, the idea is that a spoofed source IP SYN flood is gently spread across a LARGE number of TCP servers. Each of the many servers replies with SYN/ACK packets ... aimed at the attack's intended target. Since each unacknowledged SYN/ACK will be repeated (generally three times) this results in a factor-four bandwidth multiplication. From the viewpoint of the attack victim, a large number of well-connected Internet servers appears to be flooding them with SYN/ACK packets. In the case of the attack aimed at us, 202 individual Internet routers were flooding us with SYN/ACK packets from the BGP port. I am in the process of writing up a detailed report with a detailed analysis of the packet capture, but you can see what I have so far at: http://grc.com/dos/packetbounce.htm regards, ______________________________________________________________________ Steve. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 17:33:31 PST