From the front line
A number of sites have been seeing unusual SYN-ACK traffic coming from port 80, that at first glance appears to be backscatter from a DDoS attack. A closer look leaves us slightly puzzled. Note: these logs have been sanitized to protect the guilty and the innocent.
Some unusual patterns that a number of us have picked up on from the traffic: - Different combinations of the TCP reserved / ECN (Explicit Congestion Notification) flags set. If these were valid ECN SYN-ACKS, they would have only the SYN, ACK, and ECN-ECHO flags set. - The TCP Window size is maxed out on all the packets - Sequence numbers have definite pattern of repeating 2 bytes (4 hex characters), examples: Seq: 0x79027902 Seq: 0x4a2e4a2e Seq: 0x5d4b5d4b This is unusual, as these sequence numbers are coming from a host that initially you assume is suffering a DDoS attack. Has anyone seen this traffic? Got packets? Handler on Duty: Mike Poor <mike .at. intelguardians.com> |
Mike 49 Posts May 8th 2004 |
Thread locked Subscribe |
May 8th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!