mark, will keep you informed when we do hear from the vendors security folk. as an aside ethereal (a really great lil' analyzer freely available for download) had no problem keeping up with the data volumes - but do configure it with various address translations turned off or it will appear to hang when dealing with these data volumes.
we are on exchange 5.5 / nt 4 running the latest service packs. the ms web site is generally good for technical info but i've not found anything on this particular set of symptoms which is why i question whether it is an exploit or a misconfig. thanks. ----- Original Message ----- From: "Mark W. Odette II" To: Sent: Saturday, October 26, 2002 3:41 PM Subject: RE: ack attack or config prob? [7:56341] > I don't have an answer to your question, though it does sound like a DoS > attack to me... > > My only input is that if you are running NT 4.0 Servers, definitely > ensure they are running Service Pack 6a, which you can get from MS's > site. Also, if you are running Exchange, make sure you have SP 4 > installed, as it fixes several issues relating to some critical Exchange > functions. For more info, review the release notes for both service > packs before installing. > > Let us know what the ISP's security folks find... this would be an > interesting learning experience. > > -Mark > -----Original Message----- > From: Garrett Allen [mailto:garrett.allen@;erols.com] > Sent: Friday, October 25, 2002 10:51 PM > To: [EMAIL PROTECTED] > Subject: ack attack or config prob? [7:56341] > > heys, > > ran into something interesting today. not sure if it is a dos attack or > if > it > indicates an ip stack misconfig. here is the symptom: > > periodically through the day today we received 100,000 packet bursts on > a t-1 > circuit. this is a name-brand provider. when the burst occurs it is > from > the > same ip address. on some bursts the packets are all acks. on others > they > are > all fin acks. they are directed at our email servers. when they occur > the > packets in a burst are all sourced from the same ip address. in the one > case > where we resolved the ip address back it was another orgs email server. > based > on the router interface stats the traffic is coming from the outside and > is > not an internal broadcast storm. > > per the ms site, "A default-configured Windows NT 3.5x or 4.0 computer > will > retransmit the SYN-ACK 5 times, doubling the time-out value after each > retransmission." if the same logic holds for other parts of the > handshake > then i'm at a loss to explain tens of thousands of packets unless it is > an > exploit of a weakness in the stack that allows for virtually unlimited > retries. > > anyone run into this kind of situation before and was the resolution a > service > pack or other such server upgrade? it caused considerable slowness on > external accesses as you might imagine. i grabbed a number of traces > documenting it and we did contact our provider (they opened a ticket > with > their security folk). > > thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56362&t=56341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
