Re: Port 80 SYN flood-like behavior

From: Dave Dittrich (dittrichat_private)
Date: Thu Feb 14 2002 - 15:40:25 PST

Next message: Valdis.Kletnieksat_private: "Re: variation of the dtspcd exploit?"

Previous message: Nathan W. Labadie: "variation of the dtspcd exploit?"
In reply to: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
Next in thread: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >What you are describing exactly fits the description of a "midpoint server"
> >participating in a new form of Distributed Denial of Service attack.
>
> No, he said the Source IP changes over time and did/do not remain constant.

I read that to mean that the intermediary was seeing reflected SYN
{ACK|RST} packets directed at *different* targets over time (most
attacks only last a few minutes at a time).  In Steve's case, the
attackers directed the attack only at grc.com for an extended period
of time.  Two different attackers, with two different MOs.

> If it would have been the same "attack" then yours the source IP
> should remain the same, constant, i.e in your case grc.com IP (or
> whatever IP you have), and by no means have the source of a dailup,
> except someone is using "decoys" to hide the real "source", or in
> your view "target".

Some attacks are directed at dialups, as well as end hosts.  They
usually are trying to take out an entire IRC channel's worth
of clients, as well as the IRC servers, to do a "takeover".

> >Briefly, the idea is that a spoofed source IP SYN flood is gently
> >spread across a LARGE number of TCP servers. Each of the many
> >servers replies with SYN/ACK packets ... aimed at the attack's
> >intended target.
>
> Or RST for instance if the port is closed.  Read : Spoofed Packet

Right.  Spoofing is what allows the reflection to work.  The
reflection is blindly done against any of a number of services
believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a
router, as in Steve's case).  Some routers don't have all services
running, so SYN RSTs are sent.  Others do, so you only see SYN ACKs
sent out.

--
Dave Dittrich                           Computing & Communications
dittrichat_private             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Valdis.Kletnieksat_private: "Re: variation of the dtspcd exploit?"
Previous message: Nathan W. Labadie: "variation of the dtspcd exploit?"
In reply to: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
Next in thread: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 16:39:46 PST