Track down attacks


Can anyone point us in the direction of expertise to help us track down sources of recent syn flood attacks.  We seem to be unusual in that we are getting persistent attacks and we need to understand whether this is one source or several.

Any advice would be most welcome

Many thanks
Who is Participating?
btanExec ConsultantCommented:
Couple of means and if you have FW at the perimeter, it should already recorded the IP addresses and you simple can do a robtex or domain dossier to enter the IP for the whois - registered owner of the origin.

But do not be surprised that those IPes may lead to ISP fronting them or even some open proxy or anonymiser, that is their intent to deter you from blacklisting as it can create false positive by blocking the "ISP". Making the situation worse is it can be IP spoofed and comes in multiple making the effort to attribute if tougher.

If need to you may also check the IP for TOR exit or open relay then possibly worth blocking it as blacklist. Can easily google on the IP as well for its "reputation online.

Nonetheless, via IP will not be foolproof for attribution or even blacklisting but it can help to establish as backup option if the rate limiting of that IP source does not stop the impact or even try to sinkhole that particular source. We can then block it as given the situation did not fare better.

there are Cisco FW and Juniper FW sharing their fair share of source identification to limit the damage or even prevent it

Filtering: The most basic network-level defense is application of the filtering techniques described in RFC 2827 [7]. Using ingress filtering, an ISP refuses to further route packets coming from an end site with IP source addresses that do not belong to that end site. Ingress filtering would be highly effective at preventing SYN flooding attacks that rely on spoofed IP packets. However, it is not currently reliable because ingress filtering policies are not universally deployed. Ingress filtering is also wholly ineffective against SYN flooding attacks that use a distributed army of controlled hosts that each directly attack. Ingress filtering is also a mechanism that an end site wishing to defend itself most often has no control over, because it has no influence upon the policies employed by ISPs around the world.

Source Threshold: This option allows you to specify the number of SYN segments received per second from a single source IP address—regardless of the destination IP address and port number—before JUNOS Software begins dropping connection requests from that source.

user@host# set security screen zone-syn-flood tcp syn-flood source-threshold <number>

user@host# set security zones security-zone zone screen zone-syn-flood
Tracking a SYN flood by source address uses different detection parameters from tracking a SYN flood by destination address and destination port number. When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the source-based SYN flood tracking mechanism in effect.

Other minor pointer is you may also want to monitor at server end, in the case of internal IP source coming with DoS symptom and not with FW fronting (somehow), may be can consider using netstat to sieve out some details about the origin of your attacker by outputting source IPs with the most connections. I saw in the open sharing some command such as below

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

also if you find that there is a massive amount of different IP addresses in the list, it’s possible that your are experiencing not a DoS but a DDoS attack on your dedicated server. Assuming a web server which is likely candidate due to public access and exposure, you can try to identify the target IP address on your dedicated server using the following command.

netstat -n -p TCP | grep SYN_RECV | grep :80

This basically just looks at all TCP traffic in the SYN_RECV state that’s going to port 80, which is the webserver port.
Tony GiangrecoCommented:
hardware based firewall, it is probably being logged. I suggest reviewing those logs. I also suggest having those logs sent to a system admin by email as the log fills up so they can be reviewed anytime. Without sending those logs, the old logged events get  over written as new logs are created.

We use a Sonicwall firewall for this. It works very well. Cisco and other brands should work well also.

You might also try contacting your ISP, although most of the time, adding a firewall is the best first step.

Hope this helps.
Pasha KravtsovSupport EngineerCommented:
Next time it happens run tcpdump and filter out certain ports (22 etc) that are not being attacked. Save the .pcap file and examine it for the offending ips and report them.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Rich RumbleSecurity SamuraiCommented:
If you know it's a SYN floood, you probably know the IP's it's coming from, you can GEO-IP them to see where. Again like in the last question you will probably have to work with your ISP, or pay some extra fee if you want DDOS protect from an attack, most large ISP's offer this service for a charge. Here is cisco's take on it:
If you can't narrow it down to a few dozen IP's then it's probably spoofed, and it doesn't matter where the attacker is. Even if you do ID them, it often falls on deaf ears:
DJB proposed syn-cookies:
The hope is we can avoid a lot of these items in IPv6, but some are already there :(
Tony GiangrecoCommented:
Chances are you will not be able to track an attack down to a site that you can do much about except have your ISP block for you. A good firewall will detect that traffic and drop the traffic so it doesn't hit your network. I have received notifications from our firewall of that traffic being detected and dropped with no human interaction needed. That's probably your best bet.
btanExec ConsultantCommented:
further to add, those network security device deployed at the perimeter likely have access to some (need to subscribed or open) online intelligence on reputation services you may even want to subscribe (from the provider themselves) to help in the attribution but as (all say), it is tough to accurate pinpoint the source and it can be just another infected bot host that (probably) not even aware it is been doing wrong stuff.

Also website can be waterholed and causing redirected calls to the victim itself also such as pingback case in Wordpress or other CMS possibly. In this case it is more of SYN flood so it should be easily handled by the network perimeter devices already, the focus is during that period of flooding any other anomalies detected or sensed in the traffic and any other egress or ingress points.
Chris_RyanAuthor Commented:
Thank you for all your comments and postings

The SynFlood attack was from a whole bunch of ipaddresses so we have no realistic chance of chasing them down

We have moved to CloudFlare for the time being, but are investigating other options.

It has been a real eye opener for us after almost 20 years of running without any problems.

Once again many thanks
btanExec ConsultantCommented:
Just a note, managed service for such incident should also actively surfaced and attribute the rate threshold customised to your asset and ensure comms to your asset only allow cloudflare (in this case) forwarding the "clean" traffic to the actual origin server (your server). This is to limit the bypass as attacker can still direct via IP (though it is very deterring as most time DNS is more the way to go, but that  will already be fronted by Cloudflare). Likewise do note the source IP addresses can comes from fast fluxes type that keep on changing and also to make sure the attempt to source trace back is fruitless.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.