heys, ran into something interesting today. not sure if it is a dos attack or if it indicates an ip stack misconfig. here is the symptom:
periodically through the day today we received 100,000 packet bursts on a t-1 circuit. this is a name-brand provider. when the burst occurs it is from the same ip address. on some bursts the packets are all acks. on others they are all fin acks. they are directed at our email servers. when they occur the packets in a burst are all sourced from the same ip address. in the one case where we resolved the ip address back it was another orgs email server. based on the router interface stats the traffic is coming from the outside and is not an internal broadcast storm. per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission." if the same logic holds for other parts of the handshake then i'm at a loss to explain tens of thousands of packets unless it is an exploit of a weakness in the stack that allows for virtually unlimited retries. anyone run into this kind of situation before and was the resolution a service pack or other such server upgrade? it caused considerable slowness on external accesses as you might imagine. i grabbed a number of traces documenting it and we did contact our provider (they opened a ticket with their security folk). thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56341&t=56341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
