> -----Original Message----- > From: Ron DuFresne [mailto:[EMAIL PROTECTED] > Sent: 11 July 2003 17:37 > To: Gareth Blades > Cc: Fulldisclosure > Subject: RE: [Full-Disclosure] RE: Attack profiling tool? > > > > As to which tool is enacting the syn flood, it could be one of many, there > are quite a few tools that can do syn flood attacks, which these appear to > be. what is interesting also are the ICMP's that were displayed as > well...
It is more of a connection flood as the client is responding to the SYN-ACK packets. The most well known connection flood tool is Naptha but this is not like Naptha as it closes the connections normally when it finishes. The ICMP messages are actually Port-Unreachable responses from our web servers but iptables is configured to block HTTPS on these as we dont use it. Because we also provide details on the TCP connection the ICMP response applies to it can make those lines quite confusing until you work out what it is trying to tell you :) > But, to point directly as some tool/toy that is being used, you'd perhaps > need to gather a number of these, test and monitor while doing so to > findout which might be the one you are observing. You might google some > of the various attack signature sights on the net looking for similiar > logged traffic to narrow the search some. Additionally, next time you see > the attack in progess, you might probe the attacking system to narrow down > the OS and again serve to limit your search to tools/toys that play on > that particular OS... Because there are only 3 connection attempts which are blocked over the course of a minute or so it is so minor we dont get notified. We only know at the end of the day when we get emailed a summary. I checked the first attack a while ago and it was an Apache server running some kind of enterprise website admin tool. Not something you should have wide open to the Internet! I expect the machine was compromised via the Apache ssl exploit. Regards Gareth _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
