mailing list archives
Re: Port 80 SYN flood-like behavior
From: Steve Gibson <bugtraq () grc com>
Date: Wed, 13 Feb 2002 15:54:45 -0800
In the last few days I've been seeing what *looks* like a SYN flood attack
on port 80 across all IP addresses on my network. However, if it's a
flood, it's not a very strong one. Modest hardware is able to keep up
with the incoming packets without a problem, but the steady flow of SYN
packets is still a steady flow. (On a given system, the number of
connections in a SYN_RECVD-ish state numbers 50-100.) The source IP
addresses stay constant for a minute or two and then cease, sometimes as
another IP address starts sending its own stream of SYN packets, though
occasionally more than one host will be sending traffic at a time. Source
addresses are in a variety of networks, but seem to be consistently dialup
or similar type connections.
It "feels" like an attempt at a denial-of-service attack, but why spread
it out over so many destination IP addresses (many of which have no
Internet presence), and why would the flood be so weak as not to actually
Could this be an IDS allowing spoofed IP addresses through while stripping
out a "dangerous" payload that might come along with the first ACK
response? Or maybe a form of scan where the volume of response carries
information they want? Has anyone seen something similar?
What you are describing exactly fits the description of a "midpoint server"
participating in a new form of Distributed Denial of Service attack. We
were on the receiving end of such an attack a little over one month ago.
Briefly, the idea is that a spoofed source IP SYN flood is gently spread
across a LARGE number of TCP servers. Each of the many servers replies with
SYN/ACK packets ... aimed at the attack's intended target. Since each
unacknowledged SYN/ACK will be repeated (generally three times) this
results in a factor-four bandwidth multiplication.
From the viewpoint of the attack victim, a large number of well-connected
Internet servers appears to be flooding them with SYN/ACK packets.
In the case of the attack aimed at us, 202 individual Internet routers were
flooding us with SYN/ACK packets from the BGP port.
I am in the process of writing up a detailed report with a detailed
analysis of the packet capture, but you can see what I have so far at:
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com