Solved

TCP Flood: what is it?  Why so little on it?

Posted on 2006-07-10
12
4,004 Views
Last Modified: 2012-06-27
I have recently been a  victim of an internal TCP Flood Denial of Service attack, yet I can find next to nothing on it scouring the net.  A machine on my internal network was flooding my routers with packets, causing our Internet connection to go down.  All antiviral and spyware (spybot, ad-aware) scans have come up clean.  I think I have stopped it using the Windows XP firewall, but am not sure.  

What is this form of attack?
Where can it come from?
How can it be stopped?
Where can I learn more about it?
0
Comment
Question by:npinfotech
12 Comments
 
LVL 32

Expert Comment

by:jhance
ID: 17074416
Firstly, since this was an INTERNAL machine, I'd have a hard time describing this as an "attack".  Since you (presumably) control both the internal networks as well as all internal machines, this problem is really your responsibility.  If, as seems to be the case, you have the responsibility but no ability to control, you should take steps to immediately gain control of all systems that plug into your internal network.

There is, however, a LOT of information about this problem.  I think you're just not looking in the right place:

http://www.networkcomputing.com/unixworld/security/004/004.txt.html
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
http://www.webopedia.com/TERM/T/TCP_SYN_attack.html
http://www.securityfocus.com/infocus/1729

just to point out a few...
0
 
LVL 9

Assisted Solution

by:jjoseph_x
jjoseph_x earned 50 total points
ID: 17074436
This might help a litte: http://en.wikipedia.org/wiki/Denial_of_service

If it's internal it could come from a virus.  If it was really a TCP flood (rather than ICMP or UPD) and you want to know what process was causing the problem you could run a netstat -ano which will show all of the connections and which process owns them.  You can then look-up the PID in task manager to see which application was causing the problematic traffic.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17074875
It would be possible to analyze the attack, even if there is one with 'logs'. Do you have any kind of captured logs on when this happened ?

Cheers,
Rajesh
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17075028
NOTE: x.x.x.x = internal IP address

I have logs from my firewall:

2006-06-05 12:42:57 - TCP Flood - Source:x.x.x.x,50448,LAN - Destination:208.64.252.66,80,WAN

Here is a sample of my log files just before my connection went out on June 26 (again, from firewall):

Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17075129
Well, it is not an attack. The ip address 208.64.252.66 => SilverJewleryclub.com

If you look at the time stamp, it has done only twice by minute wise but many communication attempts in seconds. Just open this site in your browser and you can see that, this site keeps refreshing and hence the connection attempt.

I presume, somebody inside your network opened this page and minimized it, so it kept trying to refresh.

Cheers,
Rajesh
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17080418
I understand this, but why does it keep trying on different ports?  The number of tries per second is also troubling - the silverjewelry club updates ever 5 minutes or so.  Why so many attempts from an internal machine?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 100 total points
ID: 17080579
You'll probably need to install Ethereal on your box and open a browser window to that site. Keep capturing for some time and then analyze what it is sending. That should give you a fair amount of idea.

Cheers,
Rajesh
0
 
LVL 12

Assisted Solution

by:NetAdmin2436
NetAdmin2436 earned 50 total points
ID: 17083889
>>>Why does it keep trying on different ports?
It is using open windows ports to connect. Many programs use open ports incrimentally. The theory behind this is the program doesn't know excatly what ports are open and not being used by other programs on your network, so they keep trying different ports. This can look like a virus as viruses act like this, but in this case looks legit if indeed some user is going to silverjewleryclub. This is normal for webpages to try and update, especially if it contains dynamic content.
port 1-1024 are reserved.
Ports 1025-49151 are registered
ports 49152-65535 are private

http://www.iana.org/assignments/port-numbers

Hope this helps.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17084291
Come ot think of it, could a faulty network card be the cause?  Could a network card just simply go haywire and make that many requests that quickly?
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 50 total points
ID: 17085575
No, If a NIC goes bad, it can flood your network with ARP requests or ethernet frames.

Bad NIC cannot generate valid IP packets this qucikly.

It is most likely to be an application.



0
 
LVL 2

Accepted Solution

by:
BennyM82 earned 250 total points
ID: 17086527
Install Sygate Personal Firewall and check what application/executable is actually attempting to make this connection.
It is not a faulty network card, there is a service on your computer attempting to make this connection.
I would not rule out spyware, though checking what service is trying to make this connection will give a more obvious answer to your question.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 17094631
The best answers were to run a software that monitors the connection (ethereal, sygate).  I gave more points to the sygate suggestion because it's a little easier to understand and read a personal firewall than an analyzer like ethereal.

Thanks to all who particiapted here!  
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now