npinfotech
asked on
TCP Flood: what is it? Why so little on it?
I have recently been a victim of an internal TCP Flood Denial of Service attack, yet I can find next to nothing on it scouring the net. A machine on my internal network was flooding my routers with packets, causing our Internet connection to go down. All antiviral and spyware (spybot, ad-aware) scans have come up clean. I think I have stopped it using the Windows XP firewall, but am not sure.
What is this form of attack?
Where can it come from?
How can it be stopped?
Where can I learn more about it?
What is this form of attack?
Where can it come from?
How can it be stopped?
Where can I learn more about it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It would be possible to analyze the attack, even if there is one with 'logs'. Do you have any kind of captured logs on when this happened ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
NOTE: x.x.x.x = internal IP address
I have logs from my firewall:
2006-06-05 12:42:57 - TCP Flood - Source:x.x.x.x,50448,LAN - Destination:208.64.252.66, 80,WAN
Here is a sample of my log files just before my connection went out on June 26 (again, from firewall):
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Default rule match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(1) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(2) not match]
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66, 80[HTTP] ,WAN [Forward] - [Outbound Rule(3) not match]
I have logs from my firewall:
2006-06-05 12:42:57 - TCP Flood - Source:x.x.x.x,50448,LAN - Destination:208.64.252.66,
Here is a sample of my log files just before my connection went out on June 26 (again, from firewall):
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1929 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1930 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1931 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:16 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1932 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1933 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1934 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,
Mon, 2006-06-26 11:43:17 - TCP packet - Source:x.x.x.x,1935 ,LAN - Destination:208.64.252.66,
Well, it is not an attack. The ip address 208.64.252.66 => SilverJewleryclub.com
If you look at the time stamp, it has done only twice by minute wise but many communication attempts in seconds. Just open this site in your browser and you can see that, this site keeps refreshing and hence the connection attempt.
I presume, somebody inside your network opened this page and minimized it, so it kept trying to refresh.
Cheers,
Rajesh
If you look at the time stamp, it has done only twice by minute wise but many communication attempts in seconds. Just open this site in your browser and you can see that, this site keeps refreshing and hence the connection attempt.
I presume, somebody inside your network opened this page and minimized it, so it kept trying to refresh.
Cheers,
Rajesh
ASKER
I understand this, but why does it keep trying on different ports? The number of tries per second is also troubling - the silverjewelry club updates ever 5 minutes or so. Why so many attempts from an internal machine?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Come ot think of it, could a faulty network card be the cause? Could a network card just simply go haywire and make that many requests that quickly?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The best answers were to run a software that monitors the connection (ethereal, sygate). I gave more points to the sygate suggestion because it's a little easier to understand and read a personal firewall than an analyzer like ethereal.
Thanks to all who particiapted here!
Thanks to all who particiapted here!
There is, however, a LOT of information about this problem. I think you're just not looking in the right place:
http://www.networkcomputing.com/unixworld/security/004/004.txt.html
http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm
http://www.webopedia.com/TERM/T/TCP_SYN_attack.html
http://www.securityfocus.com/infocus/1729
just to point out a few...