[Courses] [Security] Syn flooding

Raven, corporate courtesan raven at oneeyedcrow.net
Mon May 6 14:58:58 EST 2002 

Heya --

Quoth Dave North (Wed, May 01, 2002 at 10:54:52PM -0700):
> > Does the IP address change all the time?
> 
> It will persist as the same IP for hours, maybe as much as a day, then
> drop off. Very soon (or immediately) another appears, etc, ad nauseam.
> Rarely, but on occasion, there will be two different IP leeches at one
> time.  Just as rarely, nothing at all.

	Yeah, that sounds like something deliberate.  It's probably the
same person just spoofing the source address.
 
> I had presumed as much. The wandering nature of it made me curious if
> there was something spreading around the net that just had various
> "victim" servers firing off at me (and others) more or less randomly.
> 	Or, maybe somebody's really mad at me (or Ak).

	Do you IRC?  Common causes of DoS attacks that I've seen:

1) Some kiddie gets mad at something you said on IRC.
2) Some kiddie doesn't like what your website has to say.  (Yours seems
pretty inoffensive to me, so I doubt this is it.)
3) Some kiddie heard you said something bad about them and decided to
"show you".
4) Some kiddie tried to hack you, failed, and is now resorting to the
pathetic "if I can't get in, I can at least irritate them" stance.

	Really, most of the DoS attacks I've seen have been for really
far-fetched and immature reasons.  That's one of the reasons it's
sometimes hard to figure out why they're happening -- you can't believe
that anyone would ever get so worked up over something so minor.
Sometimes it's not even anything to do with you at all.  Real reasons
I've heard for why it's good to DoS someone:

"I hate all you Linux snobs.  You think just because someone uses XP
you're better than them, just because your OS is too hard for anyone to
use."  (This, attacking a site that had a penguin logo on it and said it
was powered by Linux.  That was it.  No OS evangelism or anything.)

"It gets you status, the bigger site you can take down."

"For one moment, people cared about me and what I could do to them."

"Man, if I could I'd take down the Internet.  Everyone would know who I
was then.  I'd be the greatest hacker ever."

"I hate your religion!"  (Attacking an evangelical Christian site.)

"God hates them."  (That same Christian site, attacking back.)
 
> I thought perhaps that was why, but it's nice to hear it explained.

	Yeah, it's always pleasing when you figure something out and
find out you were right.  [grin]  Go you.
 
> Ouch. Coordinating with pacbell (sbc subsidiary) is an oxymoron.

	Yeah, they're pretty notorious for that.
 
> > 	Your ISP may be able to trace the traffic through their network,
> > to where it exits (generally at a peer, or their upstream connection to
> > their ISP)....
> 
> This is fascinating!

	Thanks!  [grin]
 
> Apparently. As far as I can tell, it's accomplishing nothing. Or am I too
> sanguine? Right now, for example, I have two different leeches with a
> total of three non-connections. It almost never gets to four. (The new
> leech is showing Canada...) It's always a netblock, never a single address
> (so far).

	No, you're not too sanguine.  If they're not getting you, well,
good.  You're doing what you can to ensure that they won't, and it's not
having much of an impact on your life.  (This is far better than many
non-synflood DoS attacks, where you have to work constantly with your
ISP to redirect or nullroute the attack traffic so it doesn't fill up
your whole connection to the Internet.  And every time the attackers
change their pattern, you have to do it again.  This assumes that the
ISP will help you, and not just nullroute the victim to save themselves
time and effort.)
 
> Having heard about that kind of thing in Europe, I was a bit dismayed that
> there was some possibility we were being used to attack someone else. If
> my box is handling the "flood" without breaking a sweat, does that mean
> I'm also not being used to torture some other poor victim? (as best you
> understand it?)

	Given this pattern, I doubt you're being used as a reflector.
If they were all aimed at the same big target (i.e. spoofed syns "from"
www.microsoft.com or something) then I'd be a lot more worried about it.
But since the sources keep changing, it's unlikely that you're being a
reflector.  Your box will send a packet to the source, but that's really
hard to stop (AFAIK) without breaking things horribly.

Cheers,
Raven
 
"You found the Amulet of Yendor!"

More information about the Courses mailing list