Solved

TCP Flood: what is it?  Why so little on it?

Posted on 2006-07-10
12
4,008 Views
Last Modified: 2012-06-27
I have recently been a  victim of an internal TCP Flood Denial of Service attack, yet I can find next to nothing on it scouring the net.  A machine on my internal network was flooding my routers with packets, causing our Internet connection to go down.  All antiviral and spyware (spybot, ad-aware) scans have come up clean.  I think I have stopped it using the Windows XP firewall, but am not sure.  

What is this form of attack?
Where can it come from?
How can it be stopped?
Where can I learn more about it?
0
Comment
Question by:npinfotech
12 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 17074416
Firstly, since this was an INTERNAL machine, I'd have a hard time describing this as an "attack".  Since you (presumably) control both the internal networks as well as all internal machines, this problem is really your responsibility.  If, as seems to be the case, you have the responsibility but no ability to control, you should take steps to immediately gain control of all systems that plug into your internal network.

There is, however, a LOT of information about this problem.  I think you're just not looking in the right place:

http://www.networkcomputing.com/unixworld/security/004/004.txt.html
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
http://www.webopedia.com/TERM/T/TCP_SYN_attack.html
http://www.securityfocus.com/infocus/1729

just to point out a few...
0
 
LVL 9

Assisted Solution

by:jjoseph_x
jjoseph_x earned 50 total points
ID: 17074436
This might help a litte: http://en.wikipedia.org/wiki/Denial_of_service

If it's internal it could come from a virus.  If it was really a TCP flood (rather than ICMP or UPD) and you want to know what process was causing the problem you could run a netstat -ano which will show all of the connections and which process owns them.  You can then look-up the PID in task manager to see which application was causing the problematic traffic.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074875
It would be possible to analyze the attack, even if there is one with 'logs'. Do you have any kind of captured logs on when this happened ?

Cheers,
Rajesh
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 8

Author Comment

by:npinfotech
ID: 17075028
NOTE: x.x.x.x = internal IP address

I have logs from my firewall:

2006-06-05 12:42:57 - TCP Flood - Source:x.x.x.x,50448,LAN - Destination:208.64.252.66,80,WAN

Here is a sample of my log files just before my connection went out on June 26 (again, from firewall):

Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17075129
Well, it is not an attack. The ip address 208.64.252.66 => SilverJewleryclub.com

If you look at the time stamp, it has done only twice by minute wise but many communication attempts in seconds. Just open this site in your browser and you can see that, this site keeps refreshing and hence the connection attempt.

I presume, somebody inside your network opened this page and minimized it, so it kept trying to refresh.

Cheers,
Rajesh
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17080418
I understand this, but why does it keep trying on different ports?  The number of tries per second is also troubling - the silverjewelry club updates ever 5 minutes or so.  Why so many attempts from an internal machine?
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 100 total points
ID: 17080579
You'll probably need to install Ethereal on your box and open a browser window to that site. Keep capturing for some time and then analyze what it is sending. That should give you a fair amount of idea.

Cheers,
Rajesh
0
 
LVL 12

Assisted Solution

by:NetAdmin2436
NetAdmin2436 earned 50 total points
ID: 17083889
>>>Why does it keep trying on different ports?
It is using open windows ports to connect. Many programs use open ports incrimentally. The theory behind this is the program doesn't know excatly what ports are open and not being used by other programs on your network, so they keep trying different ports. This can look like a virus as viruses act like this, but in this case looks legit if indeed some user is going to silverjewleryclub. This is normal for webpages to try and update, especially if it contains dynamic content.
port 1-1024 are reserved.
Ports 1025-49151 are registered
ports 49152-65535 are private

http://www.iana.org/assignments/port-numbers

Hope this helps.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17084291
Come ot think of it, could a faulty network card be the cause?  Could a network card just simply go haywire and make that many requests that quickly?
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 50 total points
ID: 17085575
No, If a NIC goes bad, it can flood your network with ARP requests or ethernet frames.

Bad NIC cannot generate valid IP packets this qucikly.

It is most likely to be an application.



0
 
LVL 2

Accepted Solution

by:
BennyM82 earned 250 total points
ID: 17086527
Install Sygate Personal Firewall and check what application/executable is actually attempting to make this connection.
It is not a faulty network card, there is a service on your computer attempting to make this connection.
I would not rule out spyware, though checking what service is trying to make this connection will give a more obvious answer to your question.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17094631
The best answers were to run a software that monitors the connection (ethereal, sygate).  I gave more points to the sygate suggestion because it's a little easier to understand and read a personal firewall than an analyzer like ethereal.

Thanks to all who particiapted here!  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question