Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > other security issues & news
Reload this Page Sync attack?
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old March 9th, 2004, 06:03 AM
Jooske's Avatar
Jooske Jooske is offline
Incredibly Massive Poster
  
Join Date: Feb 2002
Location: Netherlands, EU near the sea
Posts: 9,713
Default Sync attack?
Hello,
can somebody explain properly about a sync attack?
Could it look like lots of OUTbound traffic UDP 137 many times to many different addersses and several times the same couple and all as SYNC in netstat? I'm talking about over 100 at a time (not sure in which time period) all probably kept open for the goal.

Was wondering for instance if looking into spam mails with all those call home images and signals could be part of the story, although one would expect for the images to get displayed the remote port would be 80, and not UDP 137.

Of course scanners don't find nothing. Not even spyware/adware!

Still puzzling about this one.
__________________
Jooske
"o_o"
  #2  
Old March 9th, 2004, 05:18 PM
gerardwil gerardwil is online now
Massive Poster
  
Join Date: Jan 2004
Location: NL
Posts: 4,516
Default Re:Sync attack?
Hi Jooske,

Maybe you find some here:

http://www.packetstormsecurity.com and search for: synflood

some background:

http://www.niksula.cs.hut.fi/-dforsber/synflood/result.html
or
http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm

Greetjes,

Gerard
  #3  
Old March 10th, 2004, 02:16 AM
Jooske's Avatar
Jooske Jooske is offline
Incredibly Massive Poster
  
Join Date: Feb 2002
Location: Netherlands, EU near the sea
Posts: 9,713
Default Re:Sync attack?
I seem not to be able to get to that first link, i come at a widex ISP, not the packetstorm site, have an IP for me maybe?
__________________
Jooske
"o_o"
  #4  
Old March 10th, 2004, 02:31 AM
gerardwil gerardwil is online now
Massive Poster
  
Join Date: Jan 2004
Location: NL
Posts: 4,516
Default Re:Sync attack?
Hi Jooske,

Try this one:

http://packetstormsecurity.org/

Greetings,

Gerard
  #5  
Old March 10th, 2004, 02:54 AM
Jooske's Avatar
Jooske Jooske is offline
Incredibly Massive Poster
  
Join Date: Feb 2002
Location: Netherlands, EU near the sea
Posts: 9,713
Default Re:Sync attack?
Thanks, now i remember about the packetstorm security site again.

The synflood and Ddos descriptions seem different from what i saw.

One would think a connection is there, waiting for the sync_ack to close the connection so bandwidth matter on both systems and possible open for intrusions?

If there had been located any nasty in a scan it would have been something understandable too, but even that is not there or i might be looking for the wrong things?

I saw lot of outbound traffic in the logfile, was too much to look back for inbound traffic before that on those IPs, to many different IP addresses, although several to the same IP ranges, all UDP 137 to UDP 137 and all SYNC in netstat, so it seems not exactly to fit in the syncflood or ddos stories or ...?
One wonders if this could be the effect of emails with tracking code included and not properly closed on the other receiving side, so wading though lot of spam could give such effects?
I'll pay more attention to this and see if i can close more tight

__________________
Jooske
"o_o"
 

Wilders Security Forums > Other Security Topics > other security issues & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 04:32 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums