[unisog] Strange packets to random addresses in our network

Russell Fulton r.fulton at auckland.ac.nz
Mon Dec 29 20:40:40 GMT 2003


On Tue, 2003-12-30 at 04:34, Brian Eckman wrote:

> I had first thought it might have fallout from a SYN Flood against them, 
> but the packet has always been just an ACK and not a SYN ACK, which 
> didn't make sense to me. Also, I'd say the TCP Option doesn't fit that 
> scenario either. IIRC, the option is supposedly an MD5 checksum, and the 
> packet checksum is always wrong. There also seem to be gaps where the 
> activity stopped, as I saw none of this activity during a recent 5+ hour 
> stretch.

I've had communication from a third party (who I know, at least by
reputation) who said that the site has been under DoS since the 22nd
(which fits with my record).  Like Brian I was puzzled by the lack of a
SYN flag, this isn't a standard SYN flood...

BTW I have had a neutral response from Rackspace.com (person not
automated) thanking me for the report and saying that they are working
on 'it'.  What ever 'it' might be.  I'll ask them if they are willing to
give some details of the attack so we can match it to the back scatter.

Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!

More information about the unisog mailing list