[Dshield] RESOLUTION: Am I being used for DOS or something worse

Tim Rushing dshield at threenorth.com
Thu Jul 11 16:23:41 GMT 2002


I'd like to start by thanking everyone for the many on and off list 
suggestions and offers to help.

I thought I would report back with the results of my investigation.  Quick 
re-cap, I wrote in panicked because my dedicated server had initiated a 
restart as I was investigating a rather odd series of SYN packets that did 
not respond to my SYN/ACK from dios.net.  In the course of investigation, I 
had used ipchains to close off this machine from almost all IP traffic.

The reset does appear to have been initiated by my hosting company when my 
closing down of the machine caused it to appear as if it were down to their 
monitoring system.  Dios.net and associated networks in 65.222.225.0 and 
65.222.227.0 were under a large DDOS at the time.

Whoever the attackers were, it appears that they were using me to multiply 
and obfuscate their attack.  They were spoofing SYN packets from the 
machines under attack, which resulted in my machine sending back 8 
SYN/ACK's for every SYN packet received.  They appeared to be attacking 
different machines within the network, but some of the SYN packets appeared 
to be from the broadcast network address 65.222.227.255.

It looks as though wherever these packets were coming from, they were 
sending each of my ip's a single SYN packet roughly every 40 - 60 seconds, 
so the load on me was negligient and probably light enough that I would 
have done little even if I had been alerted by any automated warning 
systems, which I was not.

I've never bothered to install SNORT because I'm an all but non-existent 
target, this is not even close to a mission critical machine, I'm zealous 
about keeping up on patches and not running much on the system in question 
but what I need.  However, it disturbs me that the only reason I caught 
this was that I happened to run a netstat at the appropriate time.  Would 
SNORT or any other tools detect incomplete tcp handshakes without putting 
too much of a load on a very small underpowered system?

I have some full packet captures, if anyone is interested.

         ---Tim Rushing




More information about the list mailing list