[Dshield] RESOLUTION: Am I being used for DOS or something worse
dshield at threenorth.com
Thu Jul 11 16:23:41 GMT 2002
I'd like to start by thanking everyone for the many on and off list
suggestions and offers to help.
I thought I would report back with the results of my investigation. Quick
re-cap, I wrote in panicked because my dedicated server had initiated a
restart as I was investigating a rather odd series of SYN packets that did
not respond to my SYN/ACK from dios.net. In the course of investigation, I
had used ipchains to close off this machine from almost all IP traffic.
The reset does appear to have been initiated by my hosting company when my
closing down of the machine caused it to appear as if it were down to their
monitoring system. Dios.net and associated networks in 184.108.40.206 and
220.127.116.11 were under a large DDOS at the time.
Whoever the attackers were, it appears that they were using me to multiply
and obfuscate their attack. They were spoofing SYN packets from the
machines under attack, which resulted in my machine sending back 8
SYN/ACK's for every SYN packet received. They appeared to be attacking
different machines within the network, but some of the SYN packets appeared
to be from the broadcast network address 18.104.22.168.
It looks as though wherever these packets were coming from, they were
sending each of my ip's a single SYN packet roughly every 40 - 60 seconds,
so the load on me was negligient and probably light enough that I would
have done little even if I had been alerted by any automated warning
systems, which I was not.
I've never bothered to install SNORT because I'm an all but non-existent
target, this is not even close to a mission critical machine, I'm zealous
about keeping up on patches and not running much on the system in question
but what I need. However, it disturbs me that the only reason I caught
this was that I happened to run a netstat at the appropriate time. Would
SNORT or any other tools detect incomplete tcp handshakes without putting
too much of a load on a very small underpowered system?
I have some full packet captures, if anyone is interested.
More information about the list