[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <IGEOKMEENEPEICNOFDGJKEACCMAA.list.fulldisclosure@webscreen-technology.com>
From: list.fulldisclosure at webscreen-technology.com (Gareth Blades)
Subject: RE: Attack profiling tool?
> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne@...ternet.com]
> Sent: 11 July 2003 17:37
> To: Gareth Blades
> Cc: Fulldisclosure
> Subject: RE: [Full-Disclosure] RE: Attack profiling tool?
>
>
>
> As to which tool is enacting the syn flood, it could be one of many, there
> are quite a few tools that can do syn flood attacks, which these appear to
> be. what is interesting also are the ICMP's that were displayed as
> well...
It is more of a connection flood as the client is responding to the SYN-ACK
packets. The most well known connection flood tool is Naptha but this is not
like Naptha as it closes the connections normally when it finishes.
The ICMP messages are actually Port-Unreachable responses from our web
servers but iptables is configured to block HTTPS on these as we dont use
it. Because we also provide details on the TCP connection the ICMP response
applies to it can make those lines quite confusing until you work out what
it is trying to tell you :)
> But, to point directly as some tool/toy that is being used, you'd perhaps
> need to gather a number of these, test and monitor while doing so to
> findout which might be the one you are observing. You might google some
> of the various attack signature sights on the net looking for similiar
> logged traffic to narrow the search some. Additionally, next time you see
> the attack in progess, you might probe the attacking system to narrow down
> the OS and again serve to limit your search to tools/toys that play on
> that particular OS...
Because there are only 3 connection attempts which are blocked over the
course of a minute or so it is so minor we dont get notified. We only know
at the end of the day when we get emailed a summary. I checked the first
attack a while ago and it was an Apache server running some kind of
enterprise website admin tool. Not something you should have wide open to
the Internet! I expect the machine was compromised via the Apache ssl
exploit.
Regards
Gareth
Powered by blists - more mailing lists