TCP Flood: what is it? Why so little on it?

I have recently been a  victim of an internal TCP Flood Denial of Service attack, yet I can find next to nothing on it scouring the net.  A machine on my internal network was flooding my routers with packets, causing our Internet connection to go down.  All antiviral and spyware (spybot, ad-aware) scans have come up clean.  I think I have stopped it using the Windows XP firewall, but am not sure.  

What is this form of attack?
Where can it come from?
How can it be stopped?
Where can I learn more about it?
LVL 8
npinfotechAsked:
Who is Participating?
 
BennyM82Connect With a Mentor Commented:
Install Sygate Personal Firewall and check what application/executable is actually attempting to make this connection.
It is not a faulty network card, there is a service on your computer attempting to make this connection.
I would not rule out spyware, though checking what service is trying to make this connection will give a more obvious answer to your question.
0
 
jhanceCommented:
Firstly, since this was an INTERNAL machine, I'd have a hard time describing this as an "attack".  Since you (presumably) control both the internal networks as well as all internal machines, this problem is really your responsibility.  If, as seems to be the case, you have the responsibility but no ability to control, you should take steps to immediately gain control of all systems that plug into your internal network.

There is, however, a LOT of information about this problem.  I think you're just not looking in the right place:

http://www.networkcomputing.com/unixworld/security/004/004.txt.html
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
http://www.webopedia.com/TERM/T/TCP_SYN_attack.html
http://www.securityfocus.com/infocus/1729

just to point out a few...
0
 
jjoseph_xConnect With a Mentor Commented:
This might help a litte: http://en.wikipedia.org/wiki/Denial_of_service

If it's internal it could come from a virus.  If it was really a TCP flood (rather than ICMP or UPD) and you want to know what process was causing the problem you could run a netstat -ano which will show all of the connections and which process owns them.  You can then look-up the PID in task manager to see which application was causing the problematic traffic.

0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
rsivanandanCommented:
It would be possible to analyze the attack, even if there is one with 'logs'. Do you have any kind of captured logs on when this happened ?

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
NOTE: x.x.x.x = internal IP address

I have logs from my firewall:

2006-06-05 12:42:57 - TCP Flood - Source:x.x.x.x,50448,LAN - Destination:208.64.252.66,80,WAN

Here is a sample of my log files just before my connection went out on June 26 (again, from firewall):

Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
0
 
rsivanandanCommented:
Well, it is not an attack. The ip address 208.64.252.66 => SilverJewleryclub.com

If you look at the time stamp, it has done only twice by minute wise but many communication attempts in seconds. Just open this site in your browser and you can see that, this site keeps refreshing and hence the connection attempt.

I presume, somebody inside your network opened this page and minimized it, so it kept trying to refresh.

Cheers,
Rajesh
0
 
npinfotechAuthor Commented:
I understand this, but why does it keep trying on different ports?  The number of tries per second is also troubling - the silverjewelry club updates ever 5 minutes or so.  Why so many attempts from an internal machine?
0
 
rsivanandanConnect With a Mentor Commented:
You'll probably need to install Ethereal on your box and open a browser window to that site. Keep capturing for some time and then analyze what it is sending. That should give you a fair amount of idea.

Cheers,
Rajesh
0
 
NetAdmin2436Connect With a Mentor Commented:
>>>Why does it keep trying on different ports?
It is using open windows ports to connect. Many programs use open ports incrimentally. The theory behind this is the program doesn't know excatly what ports are open and not being used by other programs on your network, so they keep trying different ports. This can look like a virus as viruses act like this, but in this case looks legit if indeed some user is going to silverjewleryclub. This is normal for webpages to try and update, especially if it contains dynamic content.
port 1-1024 are reserved.
Ports 1025-49151 are registered
ports 49152-65535 are private

http://www.iana.org/assignments/port-numbers

Hope this helps.
0
 
npinfotechAuthor Commented:
Come ot think of it, could a faulty network card be the cause?  Could a network card just simply go haywire and make that many requests that quickly?
0
 
prashsaxConnect With a Mentor Commented:
No, If a NIC goes bad, it can flood your network with ARP requests or ethernet frames.

Bad NIC cannot generate valid IP packets this qucikly.

It is most likely to be an application.



0
 
npinfotechAuthor Commented:
The best answers were to run a software that monitors the connection (ethereal, sygate).  I gave more points to the sygate suggestion because it's a little easier to understand and read a personal firewall than an analyzer like ethereal.

Thanks to all who particiapted here!  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.