[Dshield] Am I being used for DOS or something worse?
dshield at threenorth.com
Tue Jul 9 20:27:17 GMT 2002
I'm definitely in over my head and looking for wisdom.
I had to restart my home gateway and thought I might have a hanging ssh
session on a remote dedicated linux host. I did a "netstat -lap" to get
the process and kill it and noticed a number of unfinished TCP connections
on port 80 from 184.108.40.206, which resolves to ns2.dios.net.
I checked my apache logs and saw nothing. A few more netstats showed that
I was getting multiples of these from different source ports.
I started a tcpdump session to capture some packets. Not, that I'd really
know what to do with them. . . ., but nothing looked particularly
strange. I then ran an ipchains script I have that locks out almost
everything but my home ip address. After that, I started to see a number
of these popping up from 65.222.225.* and even one from 220.127.116.11, which
resolves to dios1-gw.customer.alter.net and is, I assume, their gateway.
I reopened port 80 and then shortly after that the machine rebooted. Now,
I really panicked but also called my hosting company. They said that they
had noticed me going off the radar screen (when I ran my ipchains script),
were planning to reboot the machine, but they also claimed they had not
I had them run my ipchains panic script from the console and sshd'd back
in. I can find nothing amiss. I continued to get SYN attempts from a
wider number of 65.222.225.* hosts to port 80 on my server, but nothing
outbound from my machine after the reboot.
I finally set up tcpdump to log everything from 65.*.*.* for a bit and
opened it back up.
I have tcpdumps from 18.104.22.168 when my machine rebooted which doesn't
seem to show anything strange. (Of course, I was getting things from other
65.222.225.* addresses at that point.) I have tcpdumps from 65.*.*.* after
restarting. I have ipchains logs showing various attempts when I had the
firewall closed tight.
What is the best course of action here? If it weren't for the restart, it
looks to me like a DOS attempt on dios.net. I think it is possible that
the restart actually was initiated by my hosting company without the person
I was talking to actually being aware that it had been completed.
But is spoofing an address with an incomplete TCP handshake really a good
multiplier for DOS? I mean, yes, it multiplies the packets, but not by
much. Doesn't seem very efficient to me.
This is still ongoing at this time.
More information about the list