lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0307111132410.26986-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: RE: Attack profiling tool?

As to which tool is enacting the syn flood, it could be one of many, there
are quite a few tools that can do syn flood attacks, which these appear to
be.  what is interesting also are the ICMP's that were displayed as
well...

But, to point directly as some tool/toy that is being used, you'd perhaps
need to gather a number of these, test and monitor while doing so to
findout which might be the one you are observing.  You might google some
of the various attack signature sights on the net looking for similiar
logged traffic to narrow the search some.  Additionally, next time you see
the attack in progess, you might probe the attacking system to narrow down
the OS and again serve to limit your search to tools/toys that play on
that particular OS...

Thanks,

Ron DuFresne

On Fri, 11 Jul 2003, Gareth Blades wrote:

> Sorry but I disagree. Firewalls don't defent against connection floods
> (naptha type attacks) very well at all.
> Take Cisco PIX as an example which has a setting where you can limit the
> maximum connection rate and the number of connections. The connection rate
> for the attack is quite low so this won't help and although the firewall
> will stop too many connections from being established to the web server this
> is done as a general hard limit. Once the limit is reached then no other
> connections are permitted though. This may stop a webserver from crashing
> but it still leaves the website unavailable.
> Firewall-1 is no better.
>
> Statefull packet inspection won't help at all as the packets being sent are
> 100% valid.
>
> Besides as I said originally our own defense product is sitting infront and
> this does block this type of attack. The URL I pointed to with the packet
> capture was produced by our product. I was wondering what tool it could be
> doing this probing as I have seen the exact same profile of probing from at
> least 4 different IP addresses.
>
> > -----Original Message-----
> > From: Abraham Lincoln [mailto:sunninja@...entist.com]
> > Sent: Friday, July 11, 2003 12:44
> > To: Gareth Blades
> > Subject: Re: [Full-Disclosure] RE: Attack profiling tool?
> >
> >
> >    Lotsa available solution for that. IP Stack tunning and web
> > server such apache as u said... their are ways to set the rate
> > limit properly... and beside if ur web server behind a stateful
> > packet inspection fw it would prevent the attack the method of
> > the attacker is quite old.
> >
> >
> > ----- Original Message -----
> > From: "Gareth Blades" <list.fulldisclosure@...screen-technology.com>
> > Date: Fri, 11 Jul 2003 09:47:37 +0100
> > To: "Fulldisclosure" <full-disclosure@...ts.netsys.com>
> > Subject: [Full-Disclosure] RE: Attack profiling tool?
> >
> > > > From: Abraham Lincoln [mailto:sunninja@...entist.com]
> > > > Sent: Friday, July 11, 2003 03:19
> > > > To: Gareth Blades
> > > > Subject: Re: Attack profiling tool?
> > > >    no need for a expensive technology. block port 443 or if not
> > > > possible use a proactive security module that would circumvent
> > > > such attacks eg: linux security module that would intercept all
> > > > calls if abnormal just kill it :) Not using expensive and
> > > > signature/rule based technology. Like Anti-Virus its a protection
> > > > against yesterday's threat as morning_wood say heh
> > >
> > > That will not work very effectivly against this type of attack.
> > There are
> > > tools you can use (and quite a good module for apache) which
> > can be used to
> > > limit the number of connections from particular clients.
> > However if you set
> > > the limit too low you block people coming in via the big proxy
> > servers. If
> > > you set the limit too high then the maximum number of connections can be
> > > reached with a relativly small number of machines.
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > --
> > __________________________________________________________
> > Sign-up for your own FREE Personalized E-mail at Mail.com
> > http://www.mail.com/?sr=signup
> >
> > CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
> > http://corp.mail.com/careers
> >
> >
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ