Security Basics mailing list archives
Strange DoS from many (MANY) hosts
From: Yusuf <yusufad () myrealbox com.DELME>
Date: Tue, 27 Jul 2004 02:08:23 -0700
Hi there. For several hours I have been receiving SYN packets from *lots* of hosts. It doesn't appears to be a *personal* attack, but most probably some new virii/vermii, because: The hit frequency is not that high: my latencies have gone to the sky, but still inside the atmosphere ;-). I only get a few requests from each host, and there are thousands of them, from all around the world. Most of the hosts (the ones with reverse DNS, anyway) appear to be over DSL/Cable lines, like: adsl-65-67-113-211.dsl.rcsntx.swbell.net ben215.neoplus.adsl.tpnet.pl wbar18.dal1-4.29.164.140.dal1.dsl-verizon.net S010600402b65ad2b.vc.shawcable.net DSL01.212.114.236.176.NEFkom.net ... The hits appear to probe several ports, including 135, 445, 4662, 21338 and 31841. Two of them in /etc/services: loc-srv 135/tcp epmap # Location Service microsoft-ds 445/tcp # Microsoft Naked CIFS ¿Anyone experiencing it, or with a idea of what is this?As I said, so far the only complication is with online games ;-), but nonetheless, the propagation of the "thing" is most impressive.
¿Is it the Apocalypse Now???? (Redux ;-) )As you'll see next, my firewall already refuses connections to those ports (with the standard DROP at the end of the iptables chain), but even a few hits a second get my latency really high. Is there a better way to deal with this packets?
Sniffer log extract follows:
Source Destination Protocol Info 1.140.142.132 THIS.IS.MY.HOST TCP 2391 > microsoft-ds [SYN] Seq=0 Ack=0 Win=8760 Len=0 MSS=1460 THIS.IS.MY.HOST 61.140.142.132 ICMP Destination unreachable 80.38.27.138 THIS.IS.MY.HOST TCP 4811 > 21338 [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460 61.145.99.67 THIS.IS.MY.HOST TCP 1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440 THIS.IS.MY.HOST 61.145.99.67 ICMP Destination unreachable 201.135.98.127 THIS.IS.MY.HOST TCP 1983 > loc-srv [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440 THIS.IS.MY.HOST 201.135.98.127 ICMP Destination unreachable 3com_5a:43:3f Cisco_f7:60:38 PPP LCP Echo RequestCisco_f7:60:38 3com_5a:43:3f PPP LCP Echo Reply 212.114.236.176 THIS.IS.MY.HOST TCP 29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902057 TSER=0 WS=0 212.114.236.176 THIS.IS.MY.HOST TCP 29697 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902057 TSER=0 WS=0 68.148.140.208 THIS.IS.MY.HOST TCP 4053 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460 THIS.IS.MY.HOST 68.148.140.208 ICMP Destination unreachable 61.145.99.67 THIS.IS.MY.HOST TCP 1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440 THIS.IS.MY.HOST 61.145.99.67 ICMP Destination unreachable 212.114.236.176 THIS.IS.MY.HOST TCP 29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902357 TSER=0 WS=0
---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Strange DoS from many (MANY) hosts Yusuf (Jul 27)