I don't have an answer to your question, though it does sound like a DoS attack to me...
My only input is that if you are running NT 4.0 Servers, definitely ensure they are running Service Pack 6a, which you can get from MS's site. Also, if you are running Exchange, make sure you have SP 4 installed, as it fixes several issues relating to some critical Exchange functions. For more info, review the release notes for both service packs before installing. Let us know what the ISP's security folks find... this would be an interesting learning experience. -Mark -----Original Message----- From: Garrett Allen [mailto:garrett.allen@;erols.com] Sent: Friday, October 25, 2002 10:51 PM To: [EMAIL PROTECTED] Subject: ack attack or config prob? [7:56341] heys, ran into something interesting today. not sure if it is a dos attack or if it indicates an ip stack misconfig. here is the symptom: periodically through the day today we received 100,000 packet bursts on a t-1 circuit. this is a name-brand provider. when the burst occurs it is from the same ip address. on some bursts the packets are all acks. on others they are all fin acks. they are directed at our email servers. when they occur the packets in a burst are all sourced from the same ip address. in the one case where we resolved the ip address back it was another orgs email server. based on the router interface stats the traffic is coming from the outside and is not an internal broadcast storm. per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission." if the same logic holds for other parts of the handshake then i'm at a loss to explain tens of thousands of packets unless it is an exploit of a weakness in the stack that allows for virtually unlimited retries. anyone run into this kind of situation before and was the resolution a service pack or other such server upgrade? it caused considerable slowness on external accesses as you might imagine. i grabbed a number of traces documenting it and we did contact our provider (they opened a ticket with their security folk). thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56360&t=56341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]