Ainsi parla François Boisson le 024ème jour de l'an 2004: > Ce qui m'étonnes c'est que les martiens de Blaster sont comme suit: > > 8. The DoS traffic has the following characteristics: > * Is a SYN flood on port 80 of windowsupdate.com. > * Tries to send 50 HTTP packets every second. > * Each packet is 40 bytes in length. > * If the worm cannot find a DNS entry for windowsupdate.com, > it > uses a destination address of 255.255.255.255. > > Some fixed characteristics of the TCP and IP headers are: > + IP identification = 256 > + Time to Live = 128 > + Source IP address = a.b.x.y, where a.b are from the > host > ip and x.y are random. In some cases, a.b are random. + > Destination IP address = dns resolution of "windowsupdate.com" > > + TCP Source port is between 1000 and 1999 + TCP > Destination port = 80 + TCP Sequence number always has > the two low bytes set to 0; the 2 high bytes are random. > + TCP > Window size = 16384 Voir la capture du paquet en PJ. Après analyse, le port source reste toujours 80, le destination varie. Bon, chaipa ce que c'est, mais iptables le combat _très_ efficacement. Merci à tous. -- .,p**"*=b_ Nicolas Rueff ?P" .__ `*b Montbéliard - France |P .d?'`&, 9| http://rueff.tuxfamily.org M: |} |- H' n.rueff@free.fr &| `#?_._oH' +33 6 77 64 44 80 `H. "`"`' GPG 0xDD44DAB4 `#?. ICQ 97700474 `^~. We are Penguin. Resistance is futile. You will be assimilated.
Frame 1041 (56 bytes on wire, 56 bytes captured)
Arrival Time: Jan 24, 2004 15:26:59.578559000
Time delta from previous packet: 0.068730000 seconds
Time since reference or first frame: 13.257681000 seconds
Frame Number: 1041
Packet Length: 56 bytes
Capture Length: 56 bytes
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 213.103.72.16 (213.103.72.16)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x34b4 (13492)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x69a3 (correct)
Source: 127.0.0.1 (127.0.0.1)
Destination: 213.103.72.16 (213.103.72.16)
Transmission Control Protocol, Src Port: www (80), Dst Port: 1893 (1893), Seq: 0, Ack: 0, Len: 0
Source port: www (80)
Destination port: 1893 (1893)
Sequence number: 0
Acknowledgement number: 0
Header length: 20 bytes
Flags: 0x0014 (RST, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 0
Checksum: 0xc8fe (correct)
SEQ/ACK analysis
TCP Analysis Flags
This is a ZeroWindow segment
Attachment:
pgp9j7_rcF7DF.pgp
Description: PGP signature