[nsp-sec] Israeli false SYN attack
Hank Nussbacher
hank at efes.iucc.ac.il
Mon Jan 12 07:08:00 EST 2009
The following is being forwarded as sent by cert-team at tehila.gov.il:
----------------------------------
During the last week we have been experiencing several SYN-Flood attacks.
The IPs originating the attacks were spoofed (one IP per packet, as far as
we've seen) and there were two signatures to the attack:
1. The originating ports were 1024 and 3072
2. The ACK header was not empty but the ACK flag was not set.
The majority of the attacks were on 147.237.72.240 and 147.237.72.235 but
we have seen traffic to 147.237.72.239 and 147.237.72.71. The attacked port
was mostly 443 but we have also seen attempts on port 80.
Some of our servers have responded to the SYN with SYN,ACK
. This means
that some servers in the world (like I said, originating IPs were spoofed)
have seen traffic to port 1024 and 3072 from our servers that was not
initiated by the originating IP.
-----------------------------------
Regards,
Hank
More information about the nsp-security
mailing list