[fw-wiz] Tracking down spoofing SYN flood attackers?

From: Stewart, John (johns@artesyncp.com)
Date: 01/17/03


From: "Stewart, John" <johns@artesyncp.com>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Fri Jan 17 20:10:02 2003

For what we believe has been a few days (we finally tracked it all down this morning, have been having weirdness for a while due to our firewall being flooded with TCP connects), someone has been sending tons of port 23 packets to one of our servers in Scotland, with a source address of wrist.org (216.111.239.187).

We're trying to have the ISP block the packets upstream, and I also got in contact with a wrist.org admin via their DNS contact info.

The attack is being spoofed; it's not actually coming from wrist.org. They don't even have a machine at this address which is capable of sending out telnet (TCP/23) packets. He said I was one of dozens of people who have called.

Someone doesn't like wrist.org.

As for us, its not a huge deal. We'll likely be able to have the ISP cut off the traffic before it hits our firewall. But this poor guy is getting hammered, and I don't know how he's ever going to find out who's doing it, or make it stop.

My question is how would one go about tracking this down and stopping it?

I'll append a couple of packets grabbed using the Solaris "snoop -v" command.

johnS

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 353 arrived at 19:40:40.39
ETHER: Packet size = 60 bytes
ETHER: Destination = 8:0:20:a2:63:b4, Sun
ETHER: Source = 0:0:c5:78:5:bc,
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x08
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 1... = high throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 47548
IP: Flags = 0x0
IP: .0.. .... = may fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 237 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 6fd9
IP: Source address = 216.111.239.187, wrist.org
IP: Destination address = 193.195.26.67, 193.195.26.67
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 56149
TCP: Destination port = 23 (TELNET)
TCP: Sequence number = 1659174912
TCP: Acknowledgement number = 0
TCP: Data offset = 20 bytes
TCP: Flags = 0x02
TCP: ..0. .... = No urgent pointer
TCP: ...0 .... = No acknowledgement
TCP: .... 0... = No push
TCP: .... .0.. = No reset
TCP: .... ..1. = Syn
TCP: .... ...0 = No Fin
TCP: Window = 65535
TCP: Checksum = 0xcd5e
TCP: Urgent pointer = 0
TCP: No options
TCP:
TELNET: ----- TELNET: -----
TELNET:
TELNET: ""
TELNET:

ETHER: ----- Ether Header -----
ETHER:
ETHER: Packet 354 arrived at 19:40:40.39
ETHER: Packet size = 58 bytes
ETHER: Destination = 0:0:c5:78:5:bc,
ETHER: Source = 8:0:20:a2:63:b4, Sun
ETHER: Ethertype = 0800 (IP)
ETHER:
IP: ----- IP Header -----
IP:
IP: Version = 4
IP: Header length = 20 bytes
IP: Type of service = 0x00
IP: xxx. .... = 0 (precedence)
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 44 bytes
IP: Identification = 29652
IP: Flags = 0x4
IP: .1.. .... = do not fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 255 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = 63c5
IP: Source address = 193.195.26.67, 193.195.26.67
IP: Destination address = 216.111.239.187, wrist.org
IP: No options
IP:
TCP: ----- TCP Header -----
TCP:
TCP: Source port = 23
TCP: Destination port = 56149
TCP: Sequence number = 3804681469
TCP: Acknowledgement number = 1659174913
TCP: Data offset = 24 bytes
TCP: Flags = 0x12
TCP: ..0. .... = No urgent pointer
TCP: ...1 .... = Acknowledgement
TCP: .... 0... = No push
TCP: .... .0.. = No reset
TCP: .... ..1. = Syn
TCP: .... ...0 = No Fin
TCP: Window = 9112
TCP: Checksum = 0xddd0
TCP: Urgent pointer = 0
TCP: Options: (4 bytes)
TCP: - Maximum segment size = 536 bytes
TCP:
TELNET: ----- TELNET: -----
TELNET:
TELNET: ""
TELNET:



Relevant Pages

  • alt.2600 FAQ Revision .014 (2/4)
    ... One type of firewall is the packet filtering firewall. ... Dropping packets instead of rejecting them greatly increases the time required to scan your network. ... Port scanning UDP ports is much slower than port scanning TCP ports. ... Chartreuse Use the electricity from your phone line Cheese Connect two phones to create a diverter Chrome Manipulate Traffic Signals by Remote Control ...
    (alt.2600)
  • Re: Suspecious DNS traffic
    ... Every UDP and TCP packet has two port numbers, ... source port number. ... send a UDP packet with source port 53 and with destination port ... For TCP and stub DNS resolvers, ...
    (comp.protocols.dns.bind)
  • Re: TCP/IP Services SSH and new router difficulties
    ... (TCP vs UDP, role of routers, significance of MTU, etc). ... the lost packet and what followed it is retransmitted. ... I'd start by looking to see whether you have a Path MTU Discovery ... VMS TCP/IP SSH ports budge? ...
    (comp.os.vms)
  • Re: jailed "system" needs IPV4 access
    ... see if the ACK flag is set on a tcp packet. ... the keep-state option just ... 00500 deny log ip from 192.160.1.0/24 to any in via dc1 ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Incoherent E-mails
    ... The Novell crap was originally run on IPX ... The term in the early-mid nineties was "packet storm". ... The original advantage of UDP was ... > 60 bytes for TCP. ...
    (alt.computer.security)