priscilla, the bursts were To: Sent: Saturday, October 26, 2002 7:40 PM Subject: RE: ack attack or config prob? [7:56341]
> It sounds like you were under attack, though it's hard to say for sure. I > doubt that it's a misconfig on your end, though. It could be a misconfig at > the other server, but probably not. I don't think you can set the parameters > that badly!? :-) > > It sounds like a DoS attack because of the volume of 100,000 packets. What's > the timeframe, though? You said "burst" so I assume pretty quick. > > Did the problem happen just once or has it reoccured? > > What do any relevant logs show? Do you have a firewall or Intrusion > Detection System that logs info? How about the server itself? Does it show > anything in its log? > > Were all the packets to the server? > > Were they ACKs or SYN ACKs? You mentioned both. > > Were they in response to something your server sent? > > Were they always the same ACK number? > > What were the port numbers? You mentioned e-mail, so were the packets to > port 25 for SMTP? SMTP implementations used to have many security flaws. > Hopefully those would be fixed in a modern OS, but you never know. > > Usually, DoS attacks are SYNs, but there are probably ones that use ACKs or > SYN ACKs too. A search on Google might reveal more info. > > Anyway, I think you did the right thing by getting the ISP security folks > involved. Keep us posted, unless they recommend that you keep it quiet. > > _______________________________ > > Priscilla Oppenheimer > www.troubleshootingnetworks.com > www.priscilla.com > > Garrett Allen wrote: > > > > heys, > > > > ran into something interesting today. not sure if it is a dos > > attack or if it > > indicates an ip stack misconfig. here is the symptom: > > > > periodically through the day today we received 100,000 packet > > bursts on a t-1 > > circuit. this is a name-brand provider. when the burst occurs > > it is from the > > same ip address. on some bursts the packets are all acks. on > > others they are > > all fin acks. they are directed at our email servers. when > > they occur the > > packets in a burst are all sourced from the same ip address. > > in the one case > > where we resolved the ip address back it was another orgs email > > server. based > > on the router interface stats the traffic is coming from the > > outside and is > > not an internal broadcast storm. > > > > per the ms site, "A default-configured Windows NT 3.5x or 4.0 > > computer will > > retransmit the SYN-ACK 5 times, doubling the time-out value > > after each > > retransmission." if the same logic holds for other parts of > > the handshake > > then i'm at a loss to explain tens of thousands of packets > > unless it is an > > exploit of a weakness in the stack that allows for virtually > > unlimited > > retries. > > > > anyone run into this kind of situation before and was the > > resolution a service > > pack or other such server upgrade? it caused considerable > > slowness on > > external accesses as you might imagine. i grabbed a number of > > traces > > documenting it and we did contact our provider (they opened a > > ticket with > > their security folk). > > > > thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56369&t=56341 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
