[nsp-sec] 15 Gbps TCP SYN DoS
Jason Chambers
jchambers at ucla.edu
Sat Apr 20 09:48:45 EDT 2013
On 4/20/13 5:46 AM, Mike Tancsa wrote:
>
> I saw a lot of backscatter to random addrs in my AS. I guess the
> attacker just spoofed the addresses
>
Yeah. I thought some people might find the outbound traffic signature
useful. On reviewing flows again it looks like TCP/65535 was also a target.
But it looks like that was actually a very small DoS attack.. the real
attack seems to be spoofed from source port 80 and destined to 10,000+
hosts, a jump from roughly ~22,000 to ~35,000 during the attack.
Regards,
--Jason
More information about the nsp-security
mailing list