[nsp-sec] Israeli false SYN attack
Hank Nussbacher
hank at efes.iucc.ac.il
Wed Jan 14 03:05:46 EST 2009
At 01:53 PM 13-01-09 -0700, Smith, Donald wrote:
Thanks. I fwded your comments to the person who sent me the report. I am
only a go between on this.
-Hank
>Hank, I looked at netflow to and from those victim ips.
>I didn't see many flows (only 42 total for the 12th).
>Nearly all of the packets we recorded had the ack flag set.
>Some packets appeared to have data while others looked like a ack with
>some options based on their size. Many of the packets were 40, 46, 52
>octets in length I am assuming those are just ACK packets with options.
>
>What do they mean by "The ack header was not empty but the ack flag was
>not set"?
>
>Do they mean the ack flag wasn't set but there was an ack number in the
>packet?
>
>Most of what I saw came in a single interface so I suspect it is not a
>widely distributed attack but given the low numbers maybe what I am seeing
>is real traffic not attack traffic.
>Also because the netflow is teed to my raw netflow collector I don't know
>which router was reporting the traffic just the interface number.
>
More information about the nsp-security
mailing list