Port 80 SYN flood-like behavior
From: NESTING, DAVID M (SBCSI) (dn3723@sbc.com)Date: 02/13/02
- Previous message: Matthew LaGrange: "RE: SNMP vulnerability test?"
- Next in thread: Stuart Sheldon: "Re: Port 80 SYN flood-like behavior"
- Reply: Stuart Sheldon: "Re: Port 80 SYN flood-like behavior"
- Reply: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
- Reply: Lewie Wolfgang: "Re: Port 80 SYN flood-like behavior"
- Reply: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
- Reply: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
- Reply: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
- Reply: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Wed, 13 Feb 2002 16:51:54 -0600
In the last few days I've been seeing what *looks* like a SYN flood attack
on port 80 across all IP addresses on my network. However, if it's a flood,
it's not a very strong one. Modest hardware is able to keep up with the
incoming packets without a problem, but the steady flow of SYN packets is
still a steady flow. (On a given system, the number of connections in a
SYN_RECVD-ish state numbers 50-100.) The source IP addresses stay constant
for a minute or two and then cease, sometimes as another IP address starts
sending its own stream of SYN packets, though occasionally more than one
host will be sending traffic at a time. Source addresses are in a variety
of networks, but seem to be consistently dialup or similar type connections.
It "feels" like an attempt at a denial-of-service attack, but why spread it
out over so many destination IP addresses (many of which have no Internet
presence), and why would the flood be so weak as not to actually affect
anything?
Could this be an IDS allowing spoofed IP addresses through while stripping
out a "dangerous" payload that might come along with the first ACK response?
Or maybe a form of scan where the volume of response carries information
they want? Has anyone seen something similar?
David
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Matthew LaGrange: "RE: SNMP vulnerability test?"
- Next in thread: Stuart Sheldon: "Re: Port 80 SYN flood-like behavior"
- Reply: Stuart Sheldon: "Re: Port 80 SYN flood-like behavior"
- Reply: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
- Reply: Lewie Wolfgang: "Re: Port 80 SYN flood-like behavior"
- Reply: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
- Reply: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
- Reply: Thierry Zoller: "Re: Port 80 SYN flood-like behavior"
- Reply: Steve Gibson: "Re: Port 80 SYN flood-like behavior"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
