[Courses] [Security] Syn flooding (was: knock knock?)

Dave North dave at timocharis.com
Wed May 1 22:54:52 EST 2002


On Thu, 2 May 2002, Raven, corporate courtesan wrote:
> 	If you're seeing large amounts of these, then yes, it may be a
> syn flood.  You're doing the right things to cope with one.

Thanks! That's a relief anyway.

> It's hard  to figure out why you're getting syn-flooded.  Sometimes you
> did something that ticked off a script kiddie, other times someone has
> misconfigured their machine to access your network.  (This is rare for
> synfloods, but common for "portscans".)  Does the IP address change all
> the time?

It will persist as the same IP for hours, maybe as much as a day, then
drop off. Very soon (or immediately) another appears, etc, ad nauseam.
	Rarely, but on occasion, there will be two different IP leeches at
one time.
	Just as rarely, nothing at all.

> If so, that's less likely to be persistent misconfiguration
> of a remote machine and more likely to be a deliberate attack.

I had presumed as much. The wandering nature of it made me curious if
there was something spreading around the net that just had various
"victim" servers firing off at me (and others) more or less randomly.
	Or, maybe somebody's really mad at me (or Ak).

> I'm assuming that the connections you see in netstat never go
> from SYN_RECV to ESTABLISHED, huh?

Right. I've never seen one of these do anything other than float at
SYN_RECV. At first I watched dilegently to see if it was just a very slow
connection, but they never do establish.

> You won't normally see a synflood in Web server logs because the
> TCP connection isn't up yet.  So it's still being handled by the
> kernel's TCP stack, and hasn't been handed off to Apache yet.  Once the
> SYN - SYN/ACK - ACK handshake is done, that's when Apache or any higher
> layer software like that gets involved and GET requests and the things
> you normally see in your logs start happening.

I thought perhaps that was why, but it's nice to hear it explained.

> 	It probably is spoofed, but you could try complaining to the
> owners of that netblock with timestamped logs just in case.  That IP
> doesn't have any DNS entries for it.

I have tried sending messages to a couple of the netblocks (at first,
pacbell dsl was popular, but now it's all over the place. Today was
"scandinavian day" with ips from Sweden and Norway). None of the messages
ever got a reply.

> and the block is allocated to EUIT Trading in Sweden.

Same result I got. I tried most of the tracing you did, with the same
results...

> What they're up to?  Probably idly trying to kill your web
> server.  How to find out who's doing it is a big effort in coordination.
> If the address is spoofed, the traffic can in theory be traced back to
> its actual source by your ISP.  There has to be a constant stream of
> traffic for them to do this, and they have to be using routers capable
> of this and a backbone design that's capable of this.  (I do this all
> the time for my ISP.)  It requires the equivalent of root access on the
> routers, on every router in between you and the black hat.  So end users
> can't do this trace.

Ouch. Coordinating with pacbell (sbc subsidiary) is an oxymoron.

> 	Your ISP may be able to trace the traffic through their network,
> to where it exits (generally at a peer, or their upstream connection to
> their ISP).  At that point they have to get the NOC of whatever network
> the traffic is coming from to continue the trace, and so on back to the
> source of the traffic.
>
> 	Most ISPs either won't or can't do this.  So usually spoofers
> get off scot-free.  I wrote a tool to automate this process for the ISP,
> but even this is hard to deal with because of weaknesses in common
> router vendor OS design.  (The way most backbone routers are configured,
> you cannot see every packet that passes through.  So if you're being
> attacked by a small volume of traffic, it may just never show up in the
> router logs and you lose the trail.)

This is fascinating!

> 	Wish I could be more cheerful, but the infrastructure of the
> Internet is poorly designed to deal with one-way packet spoofers.
> Anyone can send a stream of traffic that they don't need to recieve the
> responses to, "from" any address.  Many DoS attacks fall into this
> category.  It's puerile and annoying, but there are lots of childish people
> who don't care and will gleefully be jerks.

Apparently. As far as I can tell, it's accomplishing nothing. Or am I too
sanguine? Right now, for example, I have two different leeches with a
total of three non-connections. It almost never gets to four. (The new
leech is showing Canada...) It's always a netblock, never a single address
(so far).

> We have recently seen a new wave of DoS attacks at my job, where
> someone will send a synflood that pretends to be from the address of the
> victim system under attack, to intermediate servers.  (Your server may be a
> good example of that.)  The intermediate servers see a synflood attack
> from the victim system.  But your server is busily acking away all those
> syns, and so all those acks flood the line of the victim.  And two
> systems are incapacitated for the price of one.  There was a massive
> wave of this directed against a machine owned by the Israeli government
> last week.  Several ISPs saw it.  The people whose web servers were
> being synflooded complained about the Israeli machine, and the Israeli
> machine had been knocked off the Net by all the acks.  It was very
> difficult to clean up after.  Strategically placed nullroutes contained
> the attack traffic, but engineers from many ISPs spent hours doing this,
> since the attackers kept changing what intermediate servers they were
> targeting.  Huge pain in the ahem, and I had better things to do with my
> day.

Having heard about that kind of thing in Europe, I was a bit dismayed that
there was some possibility we were being used to attack someone else. If
my box is handling the "flood" without breaking a sweat, does that mean
I'm also not being used to torture some other poor victim? (as best you
understand it?)

> Cheers, > Raven >

Thank you very much! At least I know (at this point) I've done what I can
do ... but I am a bit worried about what I might be doing to someone
else...


d




More information about the Courses mailing list