[Dshield] Am I being used for DOS or something worse?

Tim Rushing dshield at threenorth.com
Tue Jul 9 20:27:17 GMT 2002


I'm definitely in over my head and looking for wisdom.

I had to restart my home gateway and thought I might have a hanging ssh 
session on a remote dedicated linux host.  I did a "netstat -lap" to get 
the process and kill it and noticed a number of unfinished TCP connections 
on port 80 from 65.222.225.3, which resolves to ns2.dios.net.

I checked my apache logs and saw nothing.  A few more netstats showed that 
I was getting multiples of these from different source ports.

I started a tcpdump session to capture some packets.  Not, that I'd really 
know what to do with them. . . ., but nothing looked particularly 
strange.  I then ran an ipchains script I have that locks out almost 
everything but my home ip address.  After that, I started to see a number 
of these popping up from 65.222.225.* and even one from 65.207.91.38, which 
resolves to dios1-gw.customer.alter.net and is, I assume, their gateway.

I reopened port 80 and then shortly after that the machine rebooted.  Now, 
I really panicked but also called my hosting company.  They said that they 
had noticed me going off the radar screen (when I ran my ipchains script), 
were planning to reboot the machine, but they also claimed they had not 
rebooted.

I had them run my ipchains panic script from the console and sshd'd back 
in.  I can find nothing amiss.  I continued to get SYN attempts from a 
wider number of 65.222.225.* hosts to port 80 on my server, but nothing 
outbound from my machine after the reboot.

I finally set up tcpdump to log everything from 65.*.*.* for a bit and 
opened it back up.

I have tcpdumps from 65.222.225.3 when my machine rebooted which doesn't 
seem to show anything strange.  (Of course, I was getting things from other 
65.222.225.* addresses at that point.)  I have tcpdumps from 65.*.*.* after 
restarting.  I have ipchains logs showing various attempts when I had the 
firewall closed tight.

What is the best course of action here?  If it weren't for the restart, it 
looks to me like a DOS attempt on dios.net.  I think it is possible that 
the restart actually was initiated by my hosting company without the person 
I was talking to actually being aware that it had been completed.

But is spoofing an address with an incomplete TCP handshake really a good 
multiplier for DOS?  I mean, yes, it multiplies the packets, but not by 
much.  Doesn't seem very efficient to me.

This is still ongoing at this time.

       ---Tim Rushing 




More information about the list mailing list