Re: Port 80 SYN flood-like behavior

From: Steve Gibson (bugtraqat_private)
Date: Wed Feb 13 2002 - 15:54:45 PST

Next message: Matthew Leeds: "Re: Port 80 SYN flood-like behavior"

Previous message: Drew Smith: "New MSN Messenger Worm"
In reply to: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
Next in thread: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
Next in thread: Lewie Wolfgang: "Re: Port 80 SYN flood-like behavior"
Reply: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David,

>In the last few days I've been seeing what *looks* like a SYN flood attack 
>on port 80 across all IP addresses on my network.  However, if it's a 
>flood, it's not a very strong one.  Modest hardware is able to keep up 
>with the incoming packets without a problem, but the steady flow of SYN 
>packets is still a steady flow.  (On a given system, the number of 
>connections in a SYN_RECVD-ish state numbers 50-100.)  The source IP 
>addresses stay constant for a minute or two and then cease, sometimes as 
>another IP address starts sending its own stream of SYN packets, though 
>occasionally more than one host will be sending traffic at a time.  Source 
>addresses are in a variety of networks, but seem to be consistently dialup 
>or similar type connections.
>
>It "feels" like an attempt at a denial-of-service attack, but why spread 
>it out over so many destination IP addresses (many of which have no 
>Internet presence), and why would the flood be so weak as not to actually 
>affect anything?
>
>Could this be an IDS allowing spoofed IP addresses through while stripping 
>out a "dangerous" payload that might come along with the first ACK 
>response? Or maybe a form of scan where the volume of response carries 
>information they want?  Has anyone seen something similar?


What you are describing exactly fits the description of a "midpoint server" 
participating in a new form of Distributed Denial of Service attack. We 
were on the receiving end of such an attack a little over one month ago.

Briefly, the idea is that a spoofed source IP SYN flood is gently spread 
across a LARGE number of TCP servers. Each of the many servers replies with 
SYN/ACK packets ... aimed at the attack's intended target.  Since each 
unacknowledged SYN/ACK will be repeated (generally three times) this 
results in a factor-four bandwidth multiplication.

 From the viewpoint of the attack victim, a large number of well-connected 
Internet servers appears to be flooding them with SYN/ACK packets.

In the case of the attack aimed at us, 202 individual Internet routers were 
flooding us with SYN/ACK packets from the BGP port.

I am in the process of writing up a detailed report with a detailed 
analysis of the packet capture, but you can see what I have so far at:

http://grc.com/dos/packetbounce.htm

regards,

______________________________________________________________________
Steve.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Matthew Leeds: "Re: Port 80 SYN flood-like behavior"
Previous message: Drew Smith: "New MSN Messenger Worm"
In reply to: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
Next in thread: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
Next in thread: Lewie Wolfgang: "Re: Port 80 SYN flood-like behavior"
Reply: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 17:33:31 PST