March 12th, 2002, 12:50 AM
This has probably been covered in the past but I don't remember seeing it.
It appears that my Windows 2000 servers are getting attacked by someone with a spoofed IP.
Firewall is yelling about a SYN flood attack.
I cannot ping the IP in question.
A Tracert only gets me to a certain point.
There is no reverse lookup for the IP.
The IP in question is using a lot of different port numbers, usually rather high ones (IE 25808, 46780, 27717).
The question is what tools can I use to determine the real IP used and nail this person to the wall and get him shut down?
Any help would be greatly appreciated.
March 12th, 2002, 01:14 AM
Is this a UDP attack? or TCP? Spoofing a UDP packet/stream is trivial, spoofing a TCP packet(s) is a LOT more difficult due to the 3way handshake that must take place for session establishment. Then again if you are only getting SYN packets, well...it could possibly be a Spoofed TCP packet. Hmmm.....also who owns the IP you are getting hit by, goto www.arin.net/whois and look it up.....If you need more help just ask.
March 12th, 2002, 01:33 AM
I have heard of folks that "claim" they can trace a spoofed IP back to it's source, but I have doubts. The couple I've seen demo'd all require distributed sniffers throughout the network being monitored to tag every packet going by. Frankly... don't see that as reality across the entire Internet.
PREFACE: Following is -very much- a long shot. I know that. For the sake of the forum and trying to help, I offered the following.
However, what you can try:
- Try to work at the time of the attack in case the attacker is using dialup or drops off the net after the attack Try ping'n & resolving then.
- Take a look at TTL's of previous attacks and the current attack. While many spoofers allow for TTL spoofing, a most KS's will only spoof the IP.
- If TTL is always the same for all attacks, then your are in some luck. Probably just one person from one source. May be a compromised source, but still a single is easier for the victim.
OK... Now is where the work starts. If it's a random attack for no purpose, then you may never find the source. However, if the attacker is also trying to access your system(s) then you may find them. Hopefully you have old tcpdump or snort files saved for the weeks prior to the attack. This is an expensive option (long term storage) depending on the amount of traffic you have, but valuable in tracing history of attacks streached out over weeks of time.
From your old traffic, histogram the TTL's and tie them to the source IP. Assuming the attacker will use the same system to access your machines as all the floods. Look for suspicious activity history from any IP with TTLs similar the floods.
March 12th, 2002, 05:05 PM
It appears to be a TCP attack as it's only poking at port 80.
According to ARIN the IP block is owned by Verio.net, a reverse lookup says it's probably been reassigned to nameservers.net. The IP is 22.214.171.124, port numbers used are all over the road.
Looks like I'll be breaking out the sniffer to take a closer look.
Thanks for the tips so far.
Any other help would be greatly appreciated.
March 18th, 2002, 06:39 AM
If it is on port 80, well...frankly they are trying to connect to an HTTP daemon, so it is basically not an attack (most likely not).... Just thought I would bring this up.
March 18th, 2002, 04:33 PM
I would like to believe it's not an attack except it's happening to about six servers and the requests are malformed. It's sending things like three or four character URLs IE: sftm or cme without http:// or ftp://, etc. I suppose it could be a rogue cache server
March 18th, 2002, 10:20 PM
Well...first of all...if your firewall is yelling about a SYN flood attack....listen to it, it probably knows what it is talking about!!!
If you are getting hit with SYN packets with a spoofed source IP, NO you will not be able to ping the source host. That it why it is called spoofing. That also answers the ? about tracert and name lookups. If it is not a 'real' host, you won't be able to do anything.
As for tracing this back to the actual source...it is possible, but not at all easy. You would basically have to look at logs in reverse order of the hops it traveled across to get to you. Based on those, you would be able to narrow it down. now of course, you will never be able to do this because all the ISP's that the traffic traversed will NOT give you their router logs (Assuming they have them in the first place) You would have to be a government agency investigating criminal activity to be able to obtain this info with a warrant.
and Cheeseball, if it is a SYN flood, it has to be TCP, because UDP does not use a 3-way handshake . (SYN, SYN-ACK, ACK). And spoofing a TCP packet is not any harder in this case because the attacking host does not need to get the return traffic. A simple packet generator would do this nicely. If it were something like TCP session hijacking, then yes, it would be a bit more difficult, but if you really wanted to, you could just HUNT *hint* for a way to do it.
But anyway, if your firewall is detecting the attack, it is also blocking it (hopefully) so you really have nothing to worry about. That is about all you can really do.
March 19th, 2002, 12:04 AM
I'm just tired of whoever is doing this filling a lot of space in my logs, wasting my time and taking up bandwidth.
March 19th, 2002, 08:23 PM
well...IMO an even bigger waste of time would be to try to stop whoever this is doing this. You will more than likely not be able to track them down, and even if you can, it does not mean anything will be done about it.
My suggestion is to just ignore it (stop logging it if necessary), and eventually it will stop. I am sure it is not effecting your performance by any significant amount...