Re: Port 80 SYN flood-like behavior

From: Thierry Zoller (support@sniff-em.com)
Date: Fri Feb 15 2002 - 05:28:05 PST

Next message: Russell Siverland-Bishop: "RE: IDS signatures for PROTOS SNMP tests"

Previous message: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
Maybe in reply to: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
Next in thread: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
Reply: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<Enter Conspiracy Theory here ;)>

>I read that to mean that the intermediary was seeing reflected SYN
>{ACK|RST} packets directed at *different* targets over time (most
>attacks only last a few minutes at a time).  In Steve's case, the
>attackers directed the attack only at grc.com for an extended period
>of time.  Two different attackers, with two different MOs.

Ack, the question would then have to be, why choose dialups as
target, and if, why only a short period of time ("short" being relative
to some)

>Some attacks are directed at dialups, as well as end hosts.  They
>usually are trying to take out an entire IRC channel's worth
>of clients, as well as the IRC servers, to do a "takeover".

Possible, but and you will agree you will find other attacks
much more suitable than this attack, why not Syn-flood them directly
for instance using dead hosts, so there ressources are hogged (open state
connection) ?

>Right.  Spoofing is what allows the reflection to work.  The
>reflection is blindly done against any of a number of services
>believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a
>router, as in Steve's case). 

I doubt that if the service is alive or not it is of any
importance here for the intended target (target in 
Mr. Gibson's view) see [2]

If they choose a service which is alive shows that they intended to
attack *that* server directy, since this is a way to hog there 
ressources other than bandwidth (be it os, stack, cpu) if no anti
syn-flood mechanisms have been implented.

>Some routers don't have all services
>running, so SYN RSTs are sent.  Others do, so you only see SYN ACKs
>sent out.

[2] Which in this particular case isn't important (for the target), be it 
a SYN-ACKor RST-ACK Packets is of no importance to the "real" 
target (Mr. Gibson's viewpount), as it will be rejected or dropped anyways
(if configured correctly).

however it is possible also that they just wanted to squish another rst packet
out of Mr. Gibsons box for every SYN-ACK packet which arrived, and thus
create (yet) more bandwidth usage.

Please correct me if anything above is wrong, I am always happy to learn out
of my errors.

== 
Zoller Thierry
http://www.sniff-em.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Siverland-Bishop: "RE: IDS signatures for PROTOS SNMP tests"
Previous message: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
Maybe in reply to: NESTING, DAVID M (SBCSI): "Port 80 SYN flood-like behavior"
Next in thread: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
Reply: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 08:38:47 PST