Solved

TCP Flood: what is it?  Why so little on it?

Posted on 2006-07-10
12
4,014 Views
Last Modified: 2012-06-27
I have recently been a  victim of an internal TCP Flood Denial of Service attack, yet I can find next to nothing on it scouring the net.  A machine on my internal network was flooding my routers with packets, causing our Internet connection to go down.  All antiviral and spyware (spybot, ad-aware) scans have come up clean.  I think I have stopped it using the Windows XP firewall, but am not sure.  

What is this form of attack?
Where can it come from?
How can it be stopped?
Where can I learn more about it?
0
Comment
Question by:npinfotech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 17074416
Firstly, since this was an INTERNAL machine, I'd have a hard time describing this as an "attack".  Since you (presumably) control both the internal networks as well as all internal machines, this problem is really your responsibility.  If, as seems to be the case, you have the responsibility but no ability to control, you should take steps to immediately gain control of all systems that plug into your internal network.

There is, however, a LOT of information about this problem.  I think you're just not looking in the right place:

http://www.networkcomputing.com/unixworld/security/004/004.txt.html
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
http://www.webopedia.com/TERM/T/TCP_SYN_attack.html
http://www.securityfocus.com/infocus/1729

just to point out a few...
0
 
LVL 9

Assisted Solution

by:jjoseph_x
jjoseph_x earned 50 total points
ID: 17074436
This might help a litte: http://en.wikipedia.org/wiki/Denial_of_service

If it's internal it could come from a virus.  If it was really a TCP flood (rather than ICMP or UPD) and you want to know what process was causing the problem you could run a netstat -ano which will show all of the connections and which process owns them.  You can then look-up the PID in task manager to see which application was causing the problematic traffic.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074875
It would be possible to analyze the attack, even if there is one with 'logs'. Do you have any kind of captured logs on when this happened ?

Cheers,
Rajesh
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 8

Author Comment

by:npinfotech
ID: 17075028
NOTE: x.x.x.x = internal IP address

I have logs from my firewall:

2006-06-05 12:42:57 - TCP Flood - Source:x.x.x.x,50448,LAN - Destination:208.64.252.66,80,WAN

Here is a sample of my log files just before my connection went out on June 26 (again, from firewall):

Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17075129
Well, it is not an attack. The ip address 208.64.252.66 => SilverJewleryclub.com

If you look at the time stamp, it has done only twice by minute wise but many communication attempts in seconds. Just open this site in your browser and you can see that, this site keeps refreshing and hence the connection attempt.

I presume, somebody inside your network opened this page and minimized it, so it kept trying to refresh.

Cheers,
Rajesh
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17080418
I understand this, but why does it keep trying on different ports?  The number of tries per second is also troubling - the silverjewelry club updates ever 5 minutes or so.  Why so many attempts from an internal machine?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 100 total points
ID: 17080579
You'll probably need to install Ethereal on your box and open a browser window to that site. Keep capturing for some time and then analyze what it is sending. That should give you a fair amount of idea.

Cheers,
Rajesh
0
 
LVL 12

Assisted Solution

by:NetAdmin2436
NetAdmin2436 earned 50 total points
ID: 17083889
>>>Why does it keep trying on different ports?
It is using open windows ports to connect. Many programs use open ports incrimentally. The theory behind this is the program doesn't know excatly what ports are open and not being used by other programs on your network, so they keep trying different ports. This can look like a virus as viruses act like this, but in this case looks legit if indeed some user is going to silverjewleryclub. This is normal for webpages to try and update, especially if it contains dynamic content.
port 1-1024 are reserved.
Ports 1025-49151 are registered
ports 49152-65535 are private

http://www.iana.org/assignments/port-numbers

Hope this helps.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17084291
Come ot think of it, could a faulty network card be the cause?  Could a network card just simply go haywire and make that many requests that quickly?
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 50 total points
ID: 17085575
No, If a NIC goes bad, it can flood your network with ARP requests or ethernet frames.

Bad NIC cannot generate valid IP packets this qucikly.

It is most likely to be an application.



0
 
LVL 2

Accepted Solution

by:
BennyM82 earned 250 total points
ID: 17086527
Install Sygate Personal Firewall and check what application/executable is actually attempting to make this connection.
It is not a faulty network card, there is a service on your computer attempting to make this connection.
I would not rule out spyware, though checking what service is trying to make this connection will give a more obvious answer to your question.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17094631
The best answers were to run a software that monitors the connection (ethereal, sygate).  I gave more points to the sygate suggestion because it's a little easier to understand and read a personal firewall than an analyzer like ethereal.

Thanks to all who particiapted here!  
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question