PDA

View Full Version : Sync attack?

Jooske
March 9th, 2004, 06:03 AM
Hello,
can somebody explain properly about a sync attack?
Could it look like lots of OUTbound traffic UDP 137 many times to many different addersses and several times the same couple and all as SYNC in netstat? I'm talking about over 100 at a time (not sure in which time period) all probably kept open for the goal.

Was wondering for instance if looking into spam mails with all those call home images and signals could be part of the story, although one would expect for the images to get displayed the remote port would be 80, and not UDP 137.

Of course scanners don't find nothing. Not even spyware/adware!

Still puzzling about this one.
gerardwil
March 9th, 2004, 05:18 PM
Hi Jooske,

Maybe you find some here:

http://www.packetstormsecurity.com and search for: synflood

some background:

http://www.niksula.cs.hut.fi/-dforsber/synflood/result.html
or
http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm

Greetjes,

Gerard
Jooske
March 10th, 2004, 02:16 AM
I seem not to be able to get to that first link, i come at a widex ISP, not the packetstorm site, have an IP for me maybe?
gerardwil
March 10th, 2004, 02:31 AM
Hi Jooske,

Try this one:

http://packetstormsecurity.org/

Greetings,

Gerard
Jooske
March 10th, 2004, 02:54 AM
Thanks, now i remember about the packetstorm security site again.

The synflood and Ddos descriptions seem different from what i saw.

One would think a connection is there, waiting for the sync_ack to close the connection so bandwidth matter on both systems and possible open for intrusions?

If there had been located any nasty in a scan it would have been something understandable too, but even that is not there or i might be looking for the wrong things?

I saw lot of outbound traffic in the logfile, was too much to look back for inbound traffic before that on those IPs, to many different IP addresses, although several to the same IP ranges, all UDP 137 to UDP 137 and all SYNC in netstat, so it seems not exactly to fit in the syncflood or ddos stories or ...?
One wonders if this could be the effect of emails with tracking code included and not properly closed on the other receiving side, so wading though lot of spam could give such effects?
I'll pay more attention to this and see if i can close more tight