Security Incidents: Re: Port 80 SYN flood-like behavior

[Steve Gibson <bugtraq () grc com>]

David,

> In the last few days I've been seeing what *looks* like a SYN flood attack 
> on port 80 across all IP addresses on my network.  However, if it's a 
> flood, it's not a very strong one.  Modest hardware is able to keep up 
> with the incoming packets without a problem, but the steady flow of SYN 
> packets is still a steady flow.  (On a given system, the number of 
> connections in a SYN_RECVD-ish state numbers 50-100.)  The source IP 
> addresses stay constant for a minute or two and then cease, sometimes as 
> another IP address starts sending its own stream of SYN packets, though 
> occasionally more than one host will be sending traffic at a time.  Source 
> addresses are in a variety of networks, but seem to be consistently dialup 
> or similar type connections.
> It "feels" like an attempt at a denial-of-service attack, but why spread 
> it out over so many destination IP addresses (many of which have no 
> Internet presence), and why would the flood be so weak as not to actually 
> affect anything?
> Could this be an IDS allowing spoofed IP addresses through while stripping 
> out a "dangerous" payload that might come along with the first ACK 
> response? Or maybe a form of scan where the volume of response carries 
> information they want?  Has anyone seen something similar?

What you are describing exactly fits the description of a "midpoint server" 
participating in a new form of Distributed Denial of Service attack. We 
were on the receiving end of such an attack a little over one month ago.
Briefly, the idea is that a spoofed source IP SYN flood is gently spread 
across a LARGE number of TCP servers. Each of the many servers replies with 
SYN/ACK packets ... aimed at the attack's intended target.  Since each 
unacknowledged SYN/ACK will be repeated (generally three times) this 
results in a factor-four bandwidth multiplication.
From the viewpoint of the attack victim, a large number of well-connected 
Internet servers appears to be flooding them with SYN/ACK packets.
In the case of the attack aimed at us, 202 individual Internet routers were 
flooding us with SYN/ACK packets from the BGP port.
I am in the process of writing up a detailed report with a detailed 
analysis of the packet capture, but you can see what I have so far at:
http://grc.com/dos/packetbounce.htm

regards,

______________________________________________________________________
Steve.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com