> >What you are describing exactly fits the description of a "midpoint server" > >participating in a new form of Distributed Denial of Service attack. > > No, he said the Source IP changes over time and did/do not remain constant. I read that to mean that the intermediary was seeing reflected SYN {ACK|RST} packets directed at *different* targets over time (most attacks only last a few minutes at a time). In Steve's case, the attackers directed the attack only at grc.com for an extended period of time. Two different attackers, with two different MOs. > If it would have been the same "attack" then yours the source IP > should remain the same, constant, i.e in your case grc.com IP (or > whatever IP you have), and by no means have the source of a dailup, > except someone is using "decoys" to hide the real "source", or in > your view "target". Some attacks are directed at dialups, as well as end hosts. They usually are trying to take out an entire IRC channel's worth of clients, as well as the IRC servers, to do a "takeover". > >Briefly, the idea is that a spoofed source IP SYN flood is gently > >spread across a LARGE number of TCP servers. Each of the many > >servers replies with SYN/ACK packets ... aimed at the attack's > >intended target. > > Or RST for instance if the port is closed. Read : Spoofed Packet Right. Spoofing is what allows the reflection to work. The reflection is blindly done against any of a number of services believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a router, as in Steve's case). Some routers don't have all services running, so SYN RSTs are sent. Others do, so you only see SYN ACKs sent out. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 16:39:46 PST