Ainsi parla François Boisson le 024ème jour de l'an 2004: > Ce qui m'étonnes c'est que les martiens de Blaster sont comme suit: > > 8. The DoS traffic has the following characteristics: > * Is a SYN flood on port 80 of windowsupdate.com. > * Tries to send 50 HTTP packets every second. > * Each packet is 40 bytes in length. > * If the worm cannot find a DNS entry for windowsupdate.com, > it > uses a destination address of 255.255.255.255. > > Some fixed characteristics of the TCP and IP headers are: > + IP identification = 256 > + Time to Live = 128 > + Source IP address = a.b.x.y, where a.b are from the > host > ip and x.y are random. In some cases, a.b are random. + > Destination IP address = dns resolution of "windowsupdate.com" > > + TCP Source port is between 1000 and 1999 + TCP > Destination port = 80 + TCP Sequence number always has > the two low bytes set to 0; the 2 high bytes are random. > + TCP > Window size = 16384 Voir la capture du paquet en PJ. Après analyse, le port source reste toujours 80, le destination varie. Bon, chaipa ce que c'est, mais iptables le combat _très_ efficacement. Merci à tous. -- .,p**"*=b_ Nicolas Rueff ?P" .__ `*b Montbéliard - France |P .d?'`&, 9| http://rueff.tuxfamily.org M: |} |- H' n.rueff@free.fr &| `#?_._oH' +33 6 77 64 44 80 `H. "`"`' GPG 0xDD44DAB4 `#?. ICQ 97700474 `^~. We are Penguin. Resistance is futile. You will be assimilated.
Frame 1041 (56 bytes on wire, 56 bytes captured) Arrival Time: Jan 24, 2004 15:26:59.578559000 Time delta from previous packet: 0.068730000 seconds Time since reference or first frame: 13.257681000 seconds Frame Number: 1041 Packet Length: 56 bytes Capture Length: 56 bytes Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 512 Link-layer address length: 0 Source: <MISSING> Protocol: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 213.103.72.16 (213.103.72.16) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x34b4 (13492) Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0x69a3 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 213.103.72.16 (213.103.72.16) Transmission Control Protocol, Src Port: www (80), Dst Port: 1893 (1893), Seq: 0, Ack: 0, Len: 0 Source port: www (80) Destination port: 1893 (1893) Sequence number: 0 Acknowledgement number: 0 Header length: 20 bytes Flags: 0x0014 (RST, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 0 Checksum: 0xc8fe (correct) SEQ/ACK analysis TCP Analysis Flags This is a ZeroWindow segment
Attachment:
pgp9j7_rcF7DF.pgp
Description: PGP signature