SYN Flood attack with sequential destination ports?

From: Joshua Wright (Joshua.Wright@jwu.edu)
Date: 11/08/01


Message-ID: <415D42EC88D4D411A128009027AF978C03A5EB72@gaspee.jwu.edu>
From: Joshua Wright <Joshua.Wright@jwu.edu>
To: "'incidents@securityfocus.org'" <incidents@securityfocus.org>
Subject: SYN Flood attack with sequential destination ports?
Date: Thu, 8 Nov 2001 12:55:04 -0500 

I am working with some folks at a partner network who are seeing a SYN flood
attack to a single destination address.

The interesting characteristic is the destination port is sequential - each
phase of attack starting at 3039 and ending arouind 34431.

I checked the source for synful.c, syn4k.c and a few others - all seem to
use a random or fixed destination port. Any ideas on what tool this could
be?

Thanks.

-Joshua Wright, GCIH
Joshua.Wright@jwu.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com