[Techtalk] Weird http leeches

Dave North dave at timocharis.com
Sun May 12 23:44:32 EST 2002 

This curious situation has been floating around on my system for months,
but recently I found there are several other systems (all over the place)
with a similar problem.
	I first publicly broached the issue at linuxchix in the security
class, and got some interesting replies, leading to further investigation
and this post.
	The problem? About once a minute, I note a SYN_RECV from some IP
or other that floats until timeout (three minutes or so) usually resulting
in a collection of three or four hanging SYN_RECVs. Usually this will be
from just one IP, but sometimes two at the same time.
	Raising the issue, I got some interesting suggestions from Raven
and this particularly curious note from John Elliott:

> Let me guess your present IP "attackers" are one or more of these
> (at least in the last 24 hours):
> 62.13.43.60
> 63.240.202.140
> 217.199.39.169
> 217.199.39.169

Indeed, the first one listed was my current "leech!"
	Eventually, I started getting traffic from the second on the list
(and probably still am). Once the action is logged, I have the packets
dropped cold using iptables, and wait to see what else shows up. The next
one was not on John's list: 213.219.39.141

Meanwhile, I got an answer to an email query about the first IP from the
owner; his server attached to that IP was taken down May 1 by a DOS
attack (I presume at this point due to an ack flood..?)
	His email was addressed from a .de domain, and the IP is
registered to a Swedish trading group (consistent enough).
	His IP/server had not been online at all during the time I saw
that IP reported SYN on my system, so we know at that point it's spoofed
and a DOS attack is involved (at least in that case).

Just for ducks, I signed on to the various servers I have access to and
ran a netstat. Two were clean, but one of them (a commercial ISP) had the
same IPs reported, hung with SYN_RECVs. The sysadmin was not aware of this
traffic, sent me a thankyou note and took pretty much the same steps I
did. He could do no more than conjecture about the activity.

At this point, I'm assuming this traffic is fairly widespread (running
into John -- in Canada I think -- with this small population, and having
two of four servers I can access affected -- both in California.) I have
not been able to find any references to it on the internet in general via
google, or at any security sites I fished around.

I have lots of questions. For example, what the heck is going on? Could
all our acks "flood" the poor spoofed IPs (making them the targe?) Anybody
else hear anything about this? If you check any servers you can access, do
you see similar traffic?
	Etcetera. I'm fascinated by this puzzle, and I have some strange
urge to get to the bottom of it. I also wouldn't mind contributing to some
effort to nail the perp, if I could.

Help!


Dave

More information about the Techtalk mailing list