Firewall Wizards mailing list archives
Tracking down spoofing SYN flood attackers?
From: "Stewart, John" <johns () artesyncp com>
Date: Thu, 16 Jan 2003 14:10:12 -0600
For what we believe has been a few days (we finally tracked it all down this morning, have been having weirdness for a while due to our firewall being flooded with TCP connects), someone has been sending tons of port 23 packets to one of our servers in Scotland, with a source address of wrist.org (216.111.239.187). We're trying to have the ISP block the packets upstream, and I also got in contact with a wrist.org admin via their DNS contact info. The attack is being spoofed; it's not actually coming from wrist.org. They don't even have a machine at this address which is capable of sending out telnet (TCP/23) packets. He said I was one of dozens of people who have called. Someone doesn't like wrist.org. As for us, its not a huge deal. We'll likely be able to have the ISP cut off the traffic before it hits our firewall. But this poor guy is getting hammered, and I don't know how he's ever going to find out who's doing it, or make it stop. My question is how would one go about tracking this down and stopping it? I'll append a couple of packets grabbed using the Solaris "snoop -v" command. johnS ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 353 arrived at 19:40:40.39 ETHER: Packet size = 60 bytes ETHER: Destination = 8:0:20:a2:63:b4, Sun ETHER: Source = 0:0:c5:78:5:bc, ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x08 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 1... = high throughput IP: .... .0.. = normal reliability IP: Total length = 40 bytes IP: Identification = 47548 IP: Flags = 0x0 IP: .0.. .... = may fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 237 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 6fd9 IP: Source address = 216.111.239.187, wrist.org IP: Destination address = 193.195.26.67, 193.195.26.67 IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 56149 TCP: Destination port = 23 (TELNET) TCP: Sequence number = 1659174912 TCP: Acknowledgement number = 0 TCP: Data offset = 20 bytes TCP: Flags = 0x02 TCP: ..0. .... = No urgent pointer TCP: ...0 .... = No acknowledgement TCP: .... 0... = No push TCP: .... .0.. = No reset TCP: .... ..1. = Syn TCP: .... ...0 = No Fin TCP: Window = 65535 TCP: Checksum = 0xcd5e TCP: Urgent pointer = 0 TCP: No options TCP: TELNET: ----- TELNET: ----- TELNET: TELNET: "" TELNET: ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 354 arrived at 19:40:40.39 ETHER: Packet size = 58 bytes ETHER: Destination = 0:0:c5:78:5:bc, ETHER: Source = 8:0:20:a2:63:b4, Sun ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: Total length = 44 bytes IP: Identification = 29652 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 255 seconds/hops IP: Protocol = 6 (TCP) IP: Header checksum = 63c5 IP: Source address = 193.195.26.67, 193.195.26.67 IP: Destination address = 216.111.239.187, wrist.org IP: No options IP: TCP: ----- TCP Header ----- TCP: TCP: Source port = 23 TCP: Destination port = 56149 TCP: Sequence number = 3804681469 TCP: Acknowledgement number = 1659174913 TCP: Data offset = 24 bytes TCP: Flags = 0x12 TCP: ..0. .... = No urgent pointer TCP: ...1 .... = Acknowledgement TCP: .... 0... = No push TCP: .... .0.. = No reset TCP: .... ..1. = Syn TCP: .... ...0 = No Fin TCP: Window = 9112 TCP: Checksum = 0xddd0 TCP: Urgent pointer = 0 TCP: Options: (4 bytes) TCP: - Maximum segment size = 536 bytes TCP: TELNET: ----- TELNET: ----- TELNET: TELNET: "" TELNET: _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Tracking down spoofing SYN flood attackers? Stewart, John (Jan 17)
- Re: Tracking down spoofing SYN flood attackers? David Pick (Jan 18)
- Re: Tracking down spoofing SYN flood attackers? Mikael Olsson (Jan 18)