• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1671
  • Last Modified:

Syn flood to host from inside the network

Hi folks

I've had a look at other questions relating to this but cannot see anything specific to my problem, so I'm hoping you can shed some light on it.

This is the content of the alert message from my router:
Time: 03/28/2007, 12:36:55
Message: SYN Flood to Host
Source: 192.168.1.103, 2210
Destination:66.238.90.237, 80 (from ATM1 Outbound)

As you will see, the source purports to be an IP adress within our network.  How is this possible & what does it mean for our security?
Is it possible that this could be triggered by the machine with that IP visiting a particular website?

Many thanks
0
morse57
Asked:
morse57
1 Solution
 
gfreeman081597Commented:
Anything above whatever the average baseline is for SYN packets from the same source to same destination can be construed as a SYN flood. The 1 second average for SYNs (depending on hardware vendor, configuration, etc) could be 1-5 SYNs per second, per host and this may be easily triggered with HTTP. If you constantly hit refresh on your browser while visiting a website you are sending multiple SYNs to the server that may trip the minute average watermark. If this concerns you and you want to provide protection, I suggest you use rate-limiting on your routing hardware. If you use Cisco, you can use Committed Access Rate (CAR) filtering in conjunction with rate limiting access lists.

Here's an example of how you would use CAR to rate limit SYN Floods:
Router(config)# access-list 100 permit tcp any host eq www established
Router(config)# access-list 101 permit tcp any host eq www
Router(config)# interface Eth0
Router(config-if)# rate-limit output access-group 100 1544000 64000 64000
 conform-action transmit exceed-action drop
Router(config-if)# rate-limit output access-group 101 64000 16000 16000
 conform-action transmit exceed-action drop

Hope this helps... GF
0
 
mikedgibsonCommented:
Well it could be a variety of things. First we will start with some background info. A whois query reveals that destination IP belongs to

OrgName: XO Communications
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US

Looking up some info about XO reveals they are an ISP so it is most likely an IP running at one of their customers.

Now I doubt the host at 192.168.1.103 had any reason to legitimately visit the web server at 66.238.90.237 as the web page hosted there doesn't contain much of anything so I would say something suspect happened in your environment to cause that machine to browse there.

It could be one of the following reasons (or something else entirely):

1) The host 192.168.1.103 has been infected by some malware and is trying to SYN flood the host at 66.238.90.237. Or it could be infected with some poorly coded malware that is trying to phone home at this address and doesn't throttle its connections.

2) The user visited a site that is vulnerable to an attack such as Cross Site Scripting and the attacker used something like Jikto to use your internal host.

Do you see any SYN floods to other hosts or does is seem to be to just 66.238.90.237? Do you have any logging enabled on your router to see what else 192.168.1.103 was up to?


0
 
morse57Author Commented:
Thanks for your helpful responses, guys.

I'm using an SMC Barricade firewall/router but it doesn't have an activity logging function and the ip address varies but is always in the pool 66.238.90.0
I've been doing some physical checking and it seems that this is only happening when the user in question is using the cherrytap.com chat website but not happening every time he does so.
I haven't had the opportunity yet to do a malware scan on the workstation - hoping to so at lunchtime.

I've sent and email to XO asking if they can explain it & I'll report back when I have a reply.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
gfreeman081597Commented:
Perhaps you should install Wireshark or some other protocol analyser and baseline what HTTP connections to cherrytap.com looks like. Web-based chat sites (particularily Java) send request to refresh the page every second or so. The receiving end could have been too busy to provision the requests. I would get a packet dump and just analyse and see if there are a number of HTTP GET requests that go unanswered.

Good luck.
0
 
morse57Author Commented:
I managed to get some time on the machine at lunchtime and did some malware scanning.

These were found by spybot, along with a cached file for Abetterinternet.Aurora, although I can't find any evidence of an active infection by Aurora.

obj[0]=IECache Entry : Cookie:picasso@atdmt.com/
obj[1]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@adopt.euroclick[1].txt
obj[2]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@advertising[1].txt
obj[3]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@atdmt[2].txt
obj[4]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[2].txt
obj[5]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[3].txt
obj[6]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[4].txt
obj[7]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[5].txt
obj[8]=IECache Entry : C:\Documents and Settings\pault\Cookies\pault@webstat[1].txt

Result from AdAware:
Tracking Cookie Object Recognized!

Type : IECache Entry
Data : picasso@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:picasso@atdmt.com/
Expires : 27-09-2011 01:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1
Objects found so far: 41
 

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@adopt.euroclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@adopt.euroclick[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@advertising[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@atdmt[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[3].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[3].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[4].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[4].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@rotator.adjuggler[5].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@rotator.adjuggler[5].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : pault@webstat[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\pault\Cookies\pault@webstat[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49
 
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.
New critical objects:0
Objects found so far: 49

I'll have a look at Wireshark and see what develops, although I have asked this user not to use the site anymore and it is my intention to block access to it at the firewall if it proves to be the cause.
I'll get back to you when I've tried Wireshark.

Thanks
0
 
morse57Author Commented:
Hi again

I tried out Wireshark against the website and, if I'm reading the log right, it seems that there is a significant number of unanswered GET requests.  Do  you think that this is the cause of the problem?

Cheers
Steve
0
 
gfreeman081597Commented:
What are the timestamps on the messages? Are they all within the same second? If so, this is your problem - perhaps a false-postive.
0
 
morse57Author Commented:
There are a lot of blocks of 5-8 GETs within a second, fewer of 8-15 and there are a couple of concentrated blocks - 14 in .3 sec and 18 in .25 sec, though neither triggered the alert.
I have no idea whether these last two are high levels or not. :-)
0
 
gfreeman081597Commented:
Depending on the default configuration of the SMC Barricade 1 SYN per second might be the watermark for TCP (with no exception for HTTP).
If you are running the SMC with SPI here are the available parameters that you can modify to address false positives (note - the max number of incomplete sessions per host is per minute):

* DoS Detect Criteria:

Total incomplete TCP/UDP sessions HIGH: 300 session
Total incomplete TCP/UDP sessions LOW: 250 session
Incomplete TCP/UDP sessions (per min) HIGH: 250 session
Incomplete TCP/UDP sessions (per min) LOW: 200 session
Maximum incomplete TCP/UDP sessions number from same host: 50
Incomplete TCP/UDP sessions detect sensitive time period: 5000 msec.
Maximum half-open fragmentation packet number from same host: 99
Half-open fragmentation detect sensitive time period: 34463 msec.
Flooding cracker block time: 30000 sec.
0
 
morse57Author Commented:
Thanks very much

I can no longer pin it down to one type of website - I have today received a similar alert in relation to a remote worker's DHCP assigned IP.

The settings I had were:
Total incomplete TCP/UDP sessions HIGH: 300 session
Total incomplete TCP/UDP sessions LOW: 250 session
Incomplete TCP/UDP sessions (per min) HIGH: 250 session
Incomplete TCP/UDP sessions (per min) LOW: 200 session
Maximum incomplete TCP/UDP sessions number to same host: 10
Incomplete TCP/UDP sessions detect sensitive time period: 300 msec.
Maximum half-open fragmentation packet number to same host: 30
Half-open fragmentation detect sensitive time period: 1000 msec.
Flooding cracker block time: 300 sec.

I have changed the last 5 to reflect your suggestion - we'll see how it goes.

Cheers
Steve
0
 
Mohamed OsamaSenior IT ConsultantCommented:
try posting a hijack this log , if there is indeed a Zombie on your network it should show up .
0
 
morse57Author Commented:
Thanks very much - I've just returned from holiday to find there haven't been any recurrences since the parameters were changed.

Steve
0
 
gfreeman081597Commented:
Excellent - Thanks and good luck.

Gary Freeman
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now