Sync attack?

Discussion in 'other security issues & news' started by Jooske, Mar 9, 2004.

Thread Status:
Not open for further replies.
  1. Jooske
    Offline

    Jooske Registered Member

    Hello,
    can somebody explain properly about a sync attack?
    Could it look like lots of OUTbound traffic UDP 137 many times to many different addersses and several times the same couple and all as SYNC in netstat? I'm talking about over 100 at a time (not sure in which time period) all probably kept open for the goal.

    Was wondering for instance if looking into spam mails with all those call home images and signals could be part of the story, although one would expect for the images to get displayed the remote port would be 80, and not UDP 137.

    Of course scanners don't find nothing. Not even spyware/adware!

    Still puzzling about this one.
  2. gerardwil
    Offline

    gerardwil Registered Member

    Hi Jooske,

    Maybe you find some here:

    http://www.packetstormsecurity.com and search for: synflood

    some background:

    http://www.niksula.cs.hut.fi/-dforsber/synflood/result.html
    or
    http://www.rycom.ca/solutions/whitepapers/toplayer/dos_attacks.htm

    Greetjes,

    Gerard
  3. Jooske
    Offline

    Jooske Registered Member

    I seem not to be able to get to that first link, i come at a widex ISP, not the packetstorm site, have an IP for me maybe?
  4. gerardwil
    Offline

    gerardwil Registered Member

    Hi Jooske,

    Try this one:

    http://packetstormsecurity.org/

    Greetings,

    Gerard
  5. Jooske
    Offline

    Jooske Registered Member

    Thanks, now i remember about the packetstorm security site again.

    The synflood and Ddos descriptions seem different from what i saw.

    One would think a connection is there, waiting for the sync_ack to close the connection so bandwidth matter on both systems and possible open for intrusions?

    If there had been located any nasty in a scan it would have been something understandable too, but even that is not there or i might be looking for the wrong things?

    I saw lot of outbound traffic in the logfile, was too much to look back for inbound traffic before that on those IPs, to many different IP addresses, although several to the same IP ranges, all UDP 137 to UDP 137 and all SYNC in netstat, so it seems not exactly to fit in the syncflood or ddos stories or ...?
    One wonders if this could be the effect of emails with tracking code included and not properly closed on the other receiving side, so wading though lot of spam could give such effects?
    I'll pay more attention to this and see if i can close more tight
Thread Status:
Not open for further replies.