erik, I first saw your response and was thinking that you were 100% correct and that someone was SYN flooding my box, however what makes this unique is the following: 1) source IP's are erratically different 2) the times of each occurance are very spaced out 3) the packet size/window vary as well 4) the target address (mine) is dynamic and had only been up about 60 minutes before the connection attempts 5) it only occured on that one day 6) the target address is on a dialup connection with no real services behind it. To go a little bit further with my reasoning, starting at the bottom and moving up: 6 - there are really only a few purposes in which an attacker could desire to attack a dialup connection (in my experience that is) a) the system was randomly compromised by either a virus or some form of 'i accidentally opened that attachment and now the network is down'. and was sending out initial requests in which they were trying to respond. b) the address that i was using had been in use by another person whom had been flooded off the network or just disconnected. c) it was a randomly selected IP address that a DDoS was to be performed on... 5 - since it only occured on the one day it makes me almost think that it could have been an attempt at a DDoS to my system or that the source addresses were not really what they claimed to be 4 - that 60 minute period only occured since my connection was running at a smooth 9600 baud and IRC couldn't keep up with it 3 - this makes me think that they are either different platforms (see below) or it is a subvert way of deferring the target's thoughts to hide what is really happening. 2 - if this were a DDoS or any SYN flood attempt, 3 SYN packets going in is hardly enough to bring down a line, even that of a dialup connection at 9600 baud. Since the timestamps between each occurance are also spread out a DDoS can _almost_ be ignored as they are not occuring in a quick enough fashion to actually bring down the line. 1 - it was somewhat mentioned above, but if i were a kiddie that was attempting to SYN flood someone, either from one host or many, i would have made sure that all of the systems i was working on were attacking at the same time. since the time stamps differ (#2) and that the source addresses differ, this plays a big factor. Now for some converse notes.... It was mentioned as a big part that 1) this is a dialup line, and 2) it was only connecting at 9600. This could mean that the packets weren't even getting to my system at all and could have been arriving at a much heavier frequency. I mentioned that all of the systems could have been running on different platforms i have run a few scans on the targetted systems and have found that many appear to be MS Windows 2000 systems with some common ports > 1024 open (none of which being the targetted port might I add), and that other systems are different platforms or are protected by different platforms. ( i've since then added a directory called scans/ that has all of the output ) So, the question really still remains as it was and makes me wonder even more: why all the different source addresses? why all the different platforms / source system types? why only 3 connection attempts before stopping? why the large time scale between hits? why only that one day and never again? If you, or anyone else can answer this, please do for I am at a loss. Thanks, Ryan Yagatich <supportat_private> Pantek, Incorporated (877) LINUX-FIX - (440) 519-1802 =================================== E8 35 42 82 32 4E 63 6D B5 FF 7B 8A 6E DE D5 1F D0 2C 06 C6 8D 3D B6 95 =================================== Programming today is a race between software engineers striving to build bigger and better idiot-proof programs and the universe trying to produce bigger and better idiots. So far, the universe is winning. On Thu, 10 Oct 2002 eschottat_private wrote: > >It looks like an attempt at a TCP SYN flood. However, I would recommend >strongly that you use snoop, tcpdump or netcat to monitor the traffic and >see if your host responds with a SYN ACK packet and never receives an ACK >from the originator. If that is the case, then you very likely are seeing >a TCP SYN flood attempt. > > >Erik J. Schott >Technical Instructor >eXceed Education, Inc. >379 Thornall St. 4th Floor >Edison, NJ 08837 >Voice: 732.767.1641 >Fax:732.767.0746 >eschottat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 13:24:24 PST