Strange DoS from many (MANY) hosts

To: debian-user@lists.debian.org
Cc: security-basics@securityfocus.com
Subject: Strange DoS from many (MANY) hosts
From: Yusuf <yusufad@myrealbox.com.DELME>
Date: Tue, 27 Jul 2004 02:08:23 -0700
Message-id: <[🔎] ce4uvq$sik$1@sea.gmane.org>
Reply-to: yusufad@myrealbox.com, yusufad@myrealbox.com

Hi there.

For several hours I have been receiving SYN packets from *lots* of hosts.

It doesn't appears to be a *personal* attack, but most probably some new
virii/vermii, because:

The hit frequency is not that high: my latencies have gone to the sky,
but still inside the atmosphere ;-).

I only get a few requests from each host, and there are thousands of
them, from all around the world.  Most of the hosts (the ones with
reverse DNS, anyway) appear to be over DSL/Cable lines, like:

adsl-65-67-113-211.dsl.rcsntx.swbell.net
ben215.neoplus.adsl.tpnet.pl
wbar18.dal1-4.29.164.140.dal1.dsl-verizon.net
S010600402b65ad2b.vc.shawcable.net
DSL01.212.114.236.176.NEFkom.net
...

The hits appear to probe several ports, including 135, 445, 4662, 21338
and 31841.  Two of them in /etc/services:

loc-srv         135/tcp         epmap           # Location Service
microsoft-ds    445/tcp                         # Microsoft Naked CIFS

¿Anyone experiencing it, or with a idea of what is this?

As I said, so far the only complication is with online games ;-), butnonetheless, the propagation of the "thing" is most impressive.


¿Is it the Apocalypse Now???? (Redux ;-) )

As you'll see next, my firewall already refuses connections to thoseports (with the standard DROP at the end of the iptables chain), buteven a few hits a second get my latency really high. Is there a betterway to deal with this packets?


Sniffer log extract follows:

Source                Destination           Protocol Info
1.140.142.132         THIS.IS.MY.HOST         TCP      2391 > microsoft-ds [SYN] Seq=0 Ack=0 Win=8760 Len=0 MSS=1460
THIS.IS.MY.HOST         61.140.142.132        ICMP     Destination unreachable
80.38.27.138          THIS.IS.MY.HOST         TCP      4811 > 21338 [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460
61.145.99.67          THIS.IS.MY.HOST         TCP      1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440
THIS.IS.MY.HOST         61.145.99.67          ICMP     Destination unreachable
201.135.98.127        THIS.IS.MY.HOST         TCP      1983 > loc-srv [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440
THIS.IS.MY.HOST         201.135.98.127        ICMP     Destination unreachable
3com_5a:43:3f         Cisco_f7:60:38        PPP LCP  Echo RequestCisco_f7:60:38        3com_5a:43:3f         PPP LCP  Echo Reply
212.114.236.176       THIS.IS.MY.HOST         TCP      29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902057 TSER=0 WS=0
212.114.236.176       THIS.IS.MY.HOST         TCP      29697 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902057 TSER=0 WS=0
68.148.140.208        THIS.IS.MY.HOST         TCP      4053 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1460
THIS.IS.MY.HOST         68.148.140.208        ICMP     Destination unreachable
61.145.99.67          THIS.IS.MY.HOST         TCP      1268 > microsoft-ds [SYN] Seq=0 Ack=0 Win=16384 Len=0 MSS=1440
THIS.IS.MY.HOST         61.145.99.67          ICMP     Destination unreachable
212.114.236.176       THIS.IS.MY.HOST         TCP      29696 > 21338 [SYN] Seq=0 Ack=0 Win=5808 Len=0 MSS=1452 TSV=53902357 TSER=0 WS=0

Reply to:

Prev by Date: Re: Debian crashes
Next by Date: scsi1:0:0:0: Attempting to abort cmd ...
Previous by thread: Re: intel PIIXn SATA on 2.6.7 kernel
Next by thread: scsi1:0:0:0: Attempting to abort cmd ...
Index(es):
- Date
- Thread