Thanks a lot for the really helpful information I received so far. The interesting mail was from Thiago Conde Figueiro pointing me to GRC.COM and the very impressive documents for DDOS but more interesting for me the DRDOS attacks. A lot of you have pointed me to the right track. *WE ARE THE REFLECTOR* against the poor IP-Addresses I am seeing. That means we have really no *SYN ACK* (thats what we also have from time to time) but we only receive the SYN Flag. Because this means that the attacker is sending a request to Port 80 with a source Port > 1024 we cannot filter them out because of valid WEB-Server traffic. What we also have analyzed is that we get these packets against our whole network (which is pretty small). Meanwhile we created a "blackhole" server who is receiving these packets and delays responses until it gets finally dropped. So far we have found three IP-Addresses that are targeted: 63.240.202.140 (which is the one on the CERF.NET who I blamed by mistake) 208.185.82.110 which is interesting from a reverse lookup point of view. It shows "10.82.185.208.in-addr.arpa. 3600 IN PTR tempted.by.the-devil.org." and the name is resolved from "lomag.net" and finally 216.111.239.174
In my opinion the problem is the flexible response option on the CISCO. If we let the CISCO handle these sort of traffic, we might run into the problem that this can be a potential target for another attack. All we need to do (from what I learned today) is to drop the RST or SYN/ACK inside our network. I am not a fan in simply dropping packets from specific IP Addresses. This will increase the administrative work heavily. I am more thinking about some application dealing with these sort of packets and analyze them to understand what the effect of it is. Again, thanks a lot so far. Jochen Grotepass SAGA D.C. GmbH P.S.: Some German words looks nice in this forum.
