Security Incidents: Re: Port 80 SYN flood-like behavior

[Dave <rewd () linux amiga cx>]

On Thu, 14 Feb 2002, John Elliott wrote:

> On February 13, 2002 22:58 pm, Dave Dittrich wrote:
> [snip]
> > This attack used a variation of a TCP based reflection attack that is
> > not widely known to exist in the wild.  Steve's early analysis of the
> > attack in included below (Appendix A).
> >
> > While there may be a new (D)DoS program "in the wild" to implement this
> > attack, the risks and methods have been known for two or more years
> > and some simple modifications to existing tools, and a good list of
> > high-capacity routers, switches, and servers, could affect an attack
> > of this type.
> I have two web servers on different networks that have been receiving this 
> type of traffic for the last 2 or 3 weeks.  The same source IP's hit both 
> hosts at about the same time.  This is low rate traffic and generates  ACK's 
> back to the target.  I have been logging this activity for about two weeks 
> and have captured some of the packets.  I suspect that more than one machine 
> have the same reflector host list based on the varying times of day when 
> activity occurs.
 I noticed this traffic on my machine last november, it wasn't until a few 
weeks ago that I had time figure out it was some sort of SYN flood. I'm 
glad someone finally mentioned this, as I thought I had pissed someone 
off. :)

 I have a couple of packets from Jan 3 if anyone needs them.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com