<Enter Conspiracy Theory here ;)> >I read that to mean that the intermediary was seeing reflected SYN >{ACK|RST} packets directed at *different* targets over time (most >attacks only last a few minutes at a time). In Steve's case, the >attackers directed the attack only at grc.com for an extended period >of time. Two different attackers, with two different MOs. Ack, the question would then have to be, why choose dialups as target, and if, why only a short period of time ("short" being relative to some) >Some attacks are directed at dialups, as well as end hosts. They >usually are trying to take out an entire IRC channel's worth >of clients, as well as the IRC servers, to do a "takeover". Possible, but and you will agree you will find other attacks much more suitable than this attack, why not Syn-flood them directly for instance using dead hosts, so there ressources are hogged (open state connection) ? >Right. Spoofing is what allows the reflection to work. The >reflection is blindly done against any of a number of services >believed to be active (e.g., SSH, SNMP, Telnet, and HTTP for a >router, as in Steve's case). I doubt that if the service is alive or not it is of any importance here for the intended target (target in Mr. Gibson's view) see [2] If they choose a service which is alive shows that they intended to attack *that* server directy, since this is a way to hog there ressources other than bandwidth (be it os, stack, cpu) if no anti syn-flood mechanisms have been implented. >Some routers don't have all services >running, so SYN RSTs are sent. Others do, so you only see SYN ACKs >sent out. [2] Which in this particular case isn't important (for the target), be it a SYN-ACKor RST-ACK Packets is of no importance to the "real" target (Mr. Gibson's viewpount), as it will be rejected or dropped anyways (if configured correctly). however it is possible also that they just wanted to squish another rst packet out of Mr. Gibsons box for every SYN-ACK packet which arrived, and thus create (yet) more bandwidth usage. Please correct me if anything above is wrong, I am always happy to learn out of my errors. == Zoller Thierry http://www.sniff-em.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 08:38:47 PST