We saw a similar event a few days ago. Turned out to be an attack against an IRC server company. Forged source address, and used our public web addresses as reflectors. Took the IRC server company off the air. Whomever was the source sprayed at least a class B with this stuff. ---Matthew *********** REPLY SEPARATOR *********** On 2/13/2002 at 3:54 PM Stuart Sheldon wrote: >Yes, we are seeing the same thing over here... It appears to be most >effective when the attack is pointed at a subnet with a shared web >server with many IP's bound to the same interface. This also could be an >attempt to use these system's as a reflector to flood a particular IP >address out on the web... > >Stu Sheldon > > > >"NESTING, DAVID M (SBCSI)" wrote: >> >> In the last few days I've been seeing what *looks* like a SYN flood >attack >> on port 80 across all IP addresses on my network. However, if it's a >flood, >> it's not a very strong one. Modest hardware is able to keep up with the >> incoming packets without a problem, but the steady flow of SYN packets is >> still a steady flow. (On a given system, the number of connections in a >> SYN_RECVD-ish state numbers 50-100.) The source IP addresses stay >constant >> for a minute or two and then cease, sometimes as another IP address >starts >> sending its own stream of SYN packets, though occasionally more than one >> host will be sending traffic at a time. Source addresses are in a >variety >> of networks, but seem to be consistently dialup or similar type >connections. >> >> It "feels" like an attempt at a denial-of-service attack, but why spread >it >> out over so many destination IP addresses (many of which have no Internet >> presence), and why would the flood be so weak as not to actually affect >> anything? >> >> Could this be an IDS allowing spoofed IP addresses through while >stripping >> out a "dangerous" payload that might come along with the first ACK >response? >> Or maybe a form of scan where the volume of response carries information >> they want? Has anyone seen something similar? >> >> David >> >> >---------------------------------------------------------------------------- >> This list is provided by the SecurityFocus ARIS analyzer service. >> For more information on this free incident handling, management >> and tracking system please see: http://aris.securityfocus.com > >-- >In a five year period we can get one superb programming language. Only >we can't control when the five year period will begin. > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 17:37:29 PST