Security Incidents mailing list archives
Re: Port 7000 (Apple File Share) DoS/DDoS underway
From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Thu, 23 Sep 2004 14:20:00 +0200 (CEST)
On Wed, 22 Sep 2004, Daniel Hanson wrote:
I will just interject quickly. The choice of flags would indicate to me that perhaps you are seeing back scatter from a DDoS attack. For anyone who hasn't encountered this situation: Social deviant with collection of 50 hosts under his control decides he doesn't like company X today. He turns the 50 hosts to attack a server on that network but tells the 50 hosts to spoof the source address. He picks your address as the source to be spoofed (or it's random). The Syn's go to the target machine, which responds with a Syn-Ack to your IP address. The presence of the RST's may or may not be part of the actual conversation, or another affect of some sort, I don't believe that a RST also coming to you from that same connection is appropriate behaviour, but I don't have TCP/IP illustrated in front of me. YMMV, I just thought I would throw it in as a possible explanation.
There is one thing I forgot to mention: Next to the flags SYN and ACK the reserved flag R0 and R1 had been set. I saw the following combinations: syn/ack/r1, syn/ack/r0 and sys/ack/r0/r1. I'm not sure about the way the two reserved flags a handled: are they thought for the transmission or for the end point? Meaning, are they sent back with the answer packets when the arriving syn packet had them set? Cheers, Chris Kronberg. -- GeNUA mbH
Current thread:
- Yahoo Account hacking Freilich, Robert (Sep 20)
- Port 7000 (Apple File Share) DoS/DDoS underway David Gillett (Sep 21)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Daniel Hanson (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 23)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Christine Kronberg (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
- Re: Port 7000 (Apple File Share) DoS/DDoS underway Chris Krough (Sep 22)
- DoS/DDoS on port 1863(MSN protocol) Diego Sebastián González (Sep 26)
- RE: DoS/DDoS on port 1863(MSN protocol) easternerd (Sep 27)
- Re: DoS/DDoS on port 1863(MSN protocol) Kevin Reardon (Sep 27)
- Re: DoS/DDoS on port 1863(MSN protocol) Tillman Hodgson (Sep 29)
- data payload in SYN (Re: DoS/DDoS on port 1863(MSN protocol)) Martin Mačok (Sep 29)
- Port 7000 (Apple File Share) DoS/DDoS underway David Gillett (Sep 21)
- Re: DoS/DDoS on port 1863(MSN protocol) terry white (Sep 27)
- Re: DoS/DDoS on port 1863(MSN protocol) Martin Mačok (Sep 28)