Sync attack?

Discussion in 'other security issues & news' started by Jooske, Mar 9, 2004.

Thread Status:
Not open for further replies.
  1. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello,
    can somebody explain properly about a sync attack?
    Could it look like lots of OUTbound traffic UDP 137 many times to many different addersses and several times the same couple and all as SYNC in netstat? I'm talking about over 100 at a time (not sure in which time period) all probably kept open for the goal.

    Was wondering for instance if looking into spam mails with all those call home images and signals could be part of the story, although one would expect for the images to get displayed the remote port would be 80, and not UDP 137.

    Of course scanners don't find nothing. Not even spyware/adware!

    Still puzzling about this one.
     
    Jooske, Mar 9, 2004
    #1
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    EU
    Hi Jooske,

    Maybe you find some here:

    http://www.packetstormsecurity.com and search for: synflood

    some background:

    http://www.niksula.cs.hut.fi/-dforsber/synflood/result.html
    or
    http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm

    Greetjes,

    Gerard
     
    gerardwil, Mar 9, 2004
    #2
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I seem not to be able to get to that first link, i come at a widex ISP, not the packetstorm site, have an IP for me maybe?
     
    Jooske, Mar 10, 2004
    #3
  4. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    EU
    Hi Jooske,

    Try this one:

    http://packetstormsecurity.org/

    Greetings,

    Gerard
     
    gerardwil, Mar 10, 2004
    #4
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks, now i remember about the packetstorm security site again.

    The synflood and Ddos descriptions seem different from what i saw.

    One would think a connection is there, waiting for the sync_ack to close the connection so bandwidth matter on both systems and possible open for intrusions?

    If there had been located any nasty in a scan it would have been something understandable too, but even that is not there or i might be looking for the wrong things?

    I saw lot of outbound traffic in the logfile, was too much to look back for inbound traffic before that on those IPs, to many different IP addresses, although several to the same IP ranges, all UDP 137 to UDP 137 and all SYNC in netstat, so it seems not exactly to fit in the syncflood or ddos stories or ...?
    One wonders if this could be the effect of emails with tracking code included and not properly closed on the other receiving side, so wading though lot of spam could give such effects?
    I'll pay more attention to this and see if i can close more tight
     
    Jooske, Mar 10, 2004
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...