Re: syn flooding

From: Dennis Heidner (dennis@heidners-no-spam.net)
Date: 01/21/02


From: "Dennis Heidner" <dennis@heidners-no-spam.net>
Date: 21 Jan 2002 00:15:59 -0800

Wow,

I thought it would be easy to point to the actual incidents. Looks like
most of the references which named victims have long since been removed.
Unfortunately when you look in the www.incidents.org archives for SYN
FLOOD, you get hundreds of hits, the same is true for CERT and NIPC. I
tried to narrow down references which talk about the "Februrary attack",
then I've added a Seattle Times article which talks about the "February
attack"... you have to make your own connection. Trinoo (if I remember
correctly was a basic SYN Flood attack) The article you referenced did a
pretty good job summarizing it.

FWIW, just a few months (May) after the attack I went to the SANS
conference on the east coast of the U.S. There was a lot of discussion
about the attacks, why, etc. I think it may have even come up in a
presentation by Richard Stevens on the new IPv6 standard.

http://www.incidents.org/archives/y2k/122499.htm
http://www.cert.org/advisories/CA-2000-21.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1039
http://www.zdnet.com/filters/printerfriendly/0,6061,2624180-2,00.html
http://www.incidents.org/archives/y2k/020901-0930.htm
http://www.fbi.gov/pressrel/pressrel00/mafia080700.htm <<---- mafia
boy arrested

http://archives.seattletimes.nwsource.com/cgi-bin/texis.cgi/web/vortex/displ
ay?slug=asta18&date=20001118&query=amazon+denial+of+service

> > The small personal firewalls still have problems, I've seen that
happen
> > to several. The high-end commercial firewalls are probably in pretty
good
> > shape if they have recent software. The big name Dos attacks of a
couple
> > years ago were SYN floods.
>
> Do you have any references to prove that? Sorry, I don't mean to argue
on
> every point :) I just remember no particular details being released, it
> certainly sounds like a SYN flood....
>
> http://www.computerworld.com/cwi/story/0,1199,NAV47_STO43010,00.html
>
> ....for example. But I don't recall any technical details, which is, of
> course, what I'm particularly interested in.
>

If you search the archives at incidents.org (look for SYN FLOOD), there
were other reports and traces of sites with the small personal firewalls
that were having problems from SYN DoS attacks. I



Relevant Pages

  • RE: [Full-Disclosure] RE: Attack profiling tool?
    ... > As to which tool is enacting the syn flood, it could be one of many, there ... It is more of a connection flood as the client is responding to the SYN-ACK ... > the attack in progess, you might probe the attacking system to narrow down ...
    (Full-Disclosure)
  • Re: Attacks on ssh port
    ... makes fake tide of IP addresses, ... you have syn flood and death ... idiot would make such kind of attack. ... joke with your server and you have ...
    (FreeBSD-Security)
  • IDS: Snort detecting distributed syn floods
    ... Detecting a SYN Flood is all very well, but what are you going to do once ... configuring your IDS to send RST packets (this would just double up consumed ... I would like to set up a detection mechanism ... for this type of attack but since the target ports keep changing I'm not ...
    (Focus-IDS)
  • Re: Most annoying statement re: "One More Day" !!!
    ... I'll believe its still canon when i see it referenced ... references it its not canon. ... attack me for it or expect me to rationilize everything for you. ... of assuming personal attacks if I continue to disagree with you. ...
    (rec.arts.comics.marvel.universe)
  • Re: Most annoying statement re: "One More Day" !!!
    ... was Sins Past. ... I'll believe its still canon when i see it referenced ... references it its not canon. ... attack me for it or expect me to rationilize everything for you. ...
    (rec.arts.comics.marvel.universe)