Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting Logs to port 8941

From: Ryan Yagatich <ryany () pantek com>
Date: Mon, 21 Oct 2002 09:34:12 -0400 (EDT)
erik,
        I first saw your response and was thinking that you were 100% 
correct and that someone was SYN flooding my box, however what makes this 
unique is the following:
        1) source IP's are erratically different
        2) the times of each occurance are very spaced out
        3) the packet size/window vary as well
        4) the target address (mine) is dynamic and had only been up about 
                60 minutes before the connection attempts
        5) it only occured on that one day
        6) the target address is on a dialup connection with no real 
                services behind it.

To go a little bit further with my reasoning, starting at the bottom and 
moving up:
        6 - there are really only a few purposes in which an attacker 
could desire to attack a dialup connection (in my experience that is)
                a) the system was randomly compromised by either a virus 
or some form of 'i accidentally opened that attachment and now the network 
is down'. and was sending out initial requests in which they were trying 
to respond.
                b) the address that i was using had been in use by another 
person whom had been flooded off the network or just disconnected.
                c) it was a randomly selected IP address that a DDoS was 
to be performed on...
        5 - since it only occured on the one day it makes me almost think 
that it could have been an attempt at a DDoS to my system or that the 
source addresses were not really what they claimed to be 
        4 - that 60 minute period only occured since my connection was 
running at a smooth 9600 baud and IRC couldn't keep up with it
        3 - this makes me think that they are either different platforms 
(see below) or it is a subvert way of deferring the target's thoughts to 
hide what is really happening.
        2 - if this were a DDoS or any SYN flood attempt, 3 SYN packets 
going in is hardly enough to bring down a line, even that of a dialup 
connection at 9600 baud. Since the timestamps between each occurance are 
also spread out a DDoS can _almost_ be ignored as they are not occuring in 
a quick enough fashion to actually bring down the line.
        1 - it was somewhat mentioned above, but if i were a kiddie that 
was attempting to SYN flood someone, either from one host or many, i would 
have made sure that all of the systems i was working on were attacking at 
the same time. since the time stamps differ (#2) and that the source 
addresses differ, this plays a big factor.

Now for some converse notes....
It was mentioned as a big part that 1) this is a dialup line, and 2) it 
was only connecting at 9600. This could mean that the packets weren't even 
getting to my system at all and could have been arriving at a much heavier 
frequency.

I mentioned that all of the systems could have been running on different 
platforms i have run a few scans on the targetted systems and have found 
that many appear to be MS Windows 2000 systems with some common ports > 
1024 open (none of which being the targetted port might I add), and that 
other systems are different platforms or are protected by different 
platforms. ( i've since then added a directory called scans/ that has all 
of the output )

So, the question really still remains as it was and makes me wonder even 
more: 
        why all the different source addresses?
        why all the different platforms / source system types?
        why only 3 connection attempts before stopping?
        why the large time scale between hits?
        why only that one day and never again?

If you, or anyone else can answer this, please do for I am at a loss. 

Thanks,
Ryan Yagatich  <support () pantek com>
        Pantek, Incorporated
 (877) LINUX-FIX - (440) 519-1802
===================================
E8 35 42 82 32 4E 63 6D B5 FF 7B 8A
6E DE D5 1F D0 2C 06 C6 8D 3D B6 95
===================================
Programming today is a race between
  software engineers striving to
build bigger and better idiot-proof
programs and the universe trying to
 produce bigger and better idiots.
So far, the universe is winning.


On Thu, 10 Oct 2002 eschott () eXceededucation com wrote:



It looks like an attempt at a TCP SYN flood.  However, I would recommend
strongly that you use snoop, tcpdump or netcat to monitor the traffic and
see if your host responds with a SYN ACK packet and never receives an ACK
from the originator.  If that is the case, then you very likely are seeing
a TCP SYN flood attempt.


Erik J. Schott
Technical Instructor
eXceed Education, Inc.
379 Thornall St.  4th Floor
Edison, NJ 08837
Voice:  732.767.1641
Fax:732.767.0746
eschott () exceededucation com







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: