[nsp-sec] Israeli false SYN attack

Smith, Donald Donald.Smith at qwest.com
Tue Jan 13 15:53:36 EST 2009 

Hank, I looked at netflow to and from those victim ips.
I didn't see many flows (only 42 total for the 12th).
Nearly all of the packets we recorded had the ack flag set.
Some packets appeared to have data while others looked like a ack with some options based on their size. Many of the packets were 40, 46, 52 octets in length I am assuming those are just ACK packets with options.

What do they mean by "The ack header was not empty but the ack flag was not set"?

Do they mean the ack flag wasn't set but there was an ack number in the packet?

Most of what I saw came in a single interface so I suspect it is not a widely distributed attack but given the low numbers maybe what I am seeing is real traffic not attack traffic.
Also because the netflow is teed to my raw netflow collector I don't know which router was reporting the traffic just the interface number.



(coffee != sleep) & (!coffee == sleep)
Donald.Smith at qwest.com gcia

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Hank Nussbacher
> Sent: Monday, January 12, 2009 5:08 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Israeli false SYN attack
>
> ----------- nsp-security Confidential --------
>
> The following is being forwarded as sent by cert-team at tehila.gov.il:
> ----------------------------------
> During the last week we have been experiencing several
> SYN-Flood attacks.
>
> The IPs originating the attacks were spoofed (one IP per
> packet, as far as
> we've seen) and there were two signatures to the attack:
>
> 1.     The originating ports were 1024 and 3072
>
> 2.     The ACK header was not empty but the ACK flag was not set.
>
> The majority of the attacks were on 147.237.72.240 and
> 147.237.72.235 but
> we have seen traffic to 147.237.72.239 and 147.237.72.71. The
> attacked port
> was mostly 443 but we have also seen attempts on port 80.
>
> Some of our servers have responded to the SYN with SYN,ACK....
> This means
> that some servers in the world (like I said, originating IPs
> were spoofed)
> have seen traffic to port 1024 and 3072 from our servers that was not
> initiated by the originating IP.
> -----------------------------------
>
> Regards,
> Hank
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list