Solved

Syn flood to host from inside the network

Posted on 2007-03-28
13
1,625 Views
Last Modified: 2008-01-09
Hi folks

I've had a look at other questions relating to this but cannot see anything specific to my problem, so I'm hoping you can shed some light on it.

This is the content of the alert message from my router:
Time: 03/28/2007, 12:36:55
Message: SYN Flood to Host
Source: 192.168.1.103, 2210
Destination:66.238.90.237, 80 (from ATM1 Outbound)

As you will see, the source purports to be an IP adress within our network.  How is this possible & what does it mean for our security?
Is it possible that this could be triggered by the machine with that IP visiting a particular website?

Many thanks
0
Comment
Question by:morse57
13 Comments
 
LVL 2

Expert Comment

by:gfreeman081597
ID: 18807813
Anything above whatever the average baseline is for SYN packets from the same source to same destination can be construed as a SYN flood. The 1 second average for SYNs (depending on hardware vendor, configuration, etc) could be 1-5 SYNs per second, per host and this may be easily triggered with HTTP. If you constantly hit refresh on your browser while visiting a website you are sending multiple SYNs to the server that may trip the minute average watermark. If this concerns you and you want to provide protection, I suggest you use rate-limiting on your routing hardware. If you use Cisco, you can use Committed Access Rate (CAR) filtering in conjunction with rate limiting access lists.

Here's an example of how you would use CAR to rate limit SYN Floods:
Router(config)# access-list 100 permit tcp any host eq www established
Router(config)# access-list 101 permit tcp any host eq www
Router(config)# interface Eth0
Router(config-if)# rate-limit output access-group 100 1544000 64000 64000
 conform-action transmit exceed-action drop
Router(config-if)# rate-limit output access-group 101 64000 16000 16000
 conform-action transmit exceed-action drop

Hope this helps... GF
0
 
LVL 2

Expert Comment

by:mikedgibson
ID: 18807900
Well it could be a variety of things. First we will start with some background info. A whois query reveals that destination IP belongs to

OrgName: XO Communications
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US

Looking up some info about XO reveals they are an ISP so it is most likely an IP running at one of their customers.

Now I doubt the host at 192.168.1.103 had any reason to legitimately visit the web server at 66.238.90.237 as the web page hosted there doesn't contain much of anything so I would say something suspect happened in your environment to cause that machine to browse there.

It could be one of the following reasons (or something else entirely):

1) The host 192.168.1.103 has been infected by some malware and is trying to SYN flood the host at 66.238.90.237. Or it could be infected with some poorly coded malware that is trying to phone home at this address and doesn't throttle its connections.

2) The user visited a site that is vulnerable to an attack such as Cross Site Scripting and the attacker used something like Jikto to use your internal host.

Do you see any SYN floods to other hosts or does is seem to be to just 66.238.90.237? Do you have any logging enabled on your router to see what else 192.168.1.103 was up to?


0
 
LVL 2

Author Comment

by:morse57
ID: 18814665
Thanks for your helpful responses, guys.

I'm using an SMC Barricade firewall/router but it doesn't have an activity logging function and the ip address varies but is always in the pool 66.238.90.0
I've been doing some physical checking and it seems that this is only happening when the user in question is using the cherrytap.com chat website but not happening every time he does so.
I haven't had the opportunity yet to do a malware scan on the workstation - hoping to so at lunchtime.

I've sent and email to XO asking if they can explain it & I'll report back when I have a reply.
0
 
LVL 2

Expert Comment

by:gfreeman081597
ID: 18815761
Perhaps you should install Wireshark or some other protocol analyser and baseline what HTTP connections to cherrytap.com looks like. Web-based chat sites (particularily Java) send request to refresh the page every second or so. The receiving end could have been too busy to provision the requests. I would get a packet dump and just analyse and see if there are a number of HTTP GET requests that go unanswered.

Good luck.
0
 
LVL 2

Author Comment

by:morse57
ID: 18815863
I managed to get some time on the machine at lunchtime and did some malware scanning.

These were found by spybot, along with a cached file for Abetterinternet.Aurora, although I can't find any evidence of an active infection by Aurora.

obj[0]=IECache Entry : Cookie:picasso@atdmt.com/
obj[1]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@adopt.euroclick[1].txt
obj[2]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@advertising[1].txt
obj[3]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@atdmt[2].txt
obj[4]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[2].txt
obj[5]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[3].txt
obj[6]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[4].txt
obj[7]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[5].txt
obj[8]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@webstat[1].txt

Result from AdAware:
Tracking Cookie Object Recognized!

Type : IECache Entry
Data : picasso@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:picasso@atdmt.com/
Expires : 27-09-2011 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1
Objects found so far: 41
 

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@adopt.euroclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@adopt.euroclick[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@advertising[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@atdmt[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[3].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[3].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[4].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[4].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[5].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[5].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@webstat[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@webstat[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49
 
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.
New critical objects:0
Objects found so far: 49

I'll have a look at Wireshark and see what develops, although I have asked this user not to use the site anymore and it is my intention to block access to it at the firewall if it proves to be the cause.
I'll get back to you when I've tried Wireshark.

Thanks
0
 
LVL 2

Author Comment

by:morse57
ID: 18816696
Hi again

I tried out Wireshark against the website and, if I'm reading the log right, it seems that there is a significant number of unanswered GET requests.  Do  you think that this is the cause of the problem?

Cheers
Steve
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 2

Expert Comment

by:gfreeman081597
ID: 18818146
What are the timestamps on the messages? Are they all within the same second? If so, this is your problem - perhaps a false-postive.
0
 
LVL 2

Author Comment

by:morse57
ID: 18822452
There are a lot of blocks of 5-8 GETs within a second, fewer of 8-15 and there are a couple of concentrated blocks - 14 in .3 sec and 18 in .25 sec, though neither triggered the alert.
I have no idea whether these last two are high levels or not. :-)
0
 
LVL 2

Accepted Solution

by:
gfreeman081597 earned 500 total points
ID: 18843363
Depending on the default configuration of the SMC Barricade 1 SYN per second might be the watermark for TCP (with no exception for HTTP).
If you are running the SMC with SPI here are the available parameters that you can modify to address false positives (note - the max number of incomplete sessions per host is per minute):

* DoS Detect Criteria:

Total incomplete TCP/UDP sessions HIGH: 300 session
Total incomplete TCP/UDP sessions LOW: 250 session
Incomplete TCP/UDP sessions (per min) HIGH: 250 session
Incomplete TCP/UDP sessions (per min) LOW: 200 session
Maximum incomplete TCP/UDP sessions number from same host: 50
Incomplete TCP/UDP sessions detect sensitive time period: 5000 msec.
Maximum half-open fragmentation packet number from same host: 99
Half-open fragmentation detect sensitive time period: 34463 msec.
Flooding cracker block time: 30000 sec.
0
 
LVL 2

Author Comment

by:morse57
ID: 18843423
Thanks very much

I can no longer pin it down to one type of website - I have today received a similar alert in relation to a remote worker's DHCP assigned IP.

The settings I had were:
Total incomplete TCP/UDP sessions HIGH: 300 session
Total incomplete TCP/UDP sessions LOW: 250 session
Incomplete TCP/UDP sessions (per min) HIGH: 250 session
Incomplete TCP/UDP sessions (per min) LOW: 200 session
Maximum incomplete TCP/UDP sessions number to same host: 10
Incomplete TCP/UDP sessions detect sensitive time period: 300 msec.
Maximum half-open fragmentation packet number to same host: 30
Half-open fragmentation detect sensitive time period: 1000 msec.
Flooding cracker block time: 300 sec.

I have changed the last 5 to reflect your suggestion - we'll see how it goes.

Cheers
Steve
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 18913558
try posting a hijack this log , if there is indeed a Zombie on your network it should show up .
0
 
LVL 2

Author Comment

by:morse57
ID: 18931610
Thanks very much - I've just returned from holiday to find there haven't been any recurrences since the parameters were changed.

Steve
0
 
LVL 2

Expert Comment

by:gfreeman081597
ID: 18932403
Excellent - Thanks and good luck.

Gary Freeman
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now