Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-02 Thread Theodore Baschak
This might be a little late on this thread, however I just saw the following news item on twitter which seemed pertinent to this story: http://www.theregister.co.uk/2016/11/02/william_hill_ddos/ I guess they're a bookie who's under DDoS? Theodore Baschak - AS395089 - Hextet Systems https://ciscod

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-02 Thread Christian Kildau
There is some nice research regarding systems "abusable" for reflection by tcp port and the amplification factor depending on the OS: http://www.christian-rossow.de/publications/tcpamplification-woot2014.pdf And in more detail: https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase
Most of those networks are served by Prolexic DDOS mitigation (AS 32787), and according to BGPlay have been for a while. (AS carrying untoward material, like a Tor exit node or onion router?) But a couple /24s in the 95.* block are AS14537 Mohawk Internet Tech. in Quebec Canada such as 95.131.188

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase
what's the density of open port 21s on the planet though? trying to estimate the traffic resulting against the two target /21s. Your dump only has 2 ip's in it though, on your /19 so not representative. My dump is 500 synacks returned in 14 seconds to 32 ips in a /22. This would give 128M ftp r

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Selphie Keller
Yeah it is an odd ball attack for sure, here is a 5000 packet sample of what I was seeing in connection to this attack https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp port as I am not seeing it on many other subnets, which is why I am thinking someone did a pre-scan before

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Van Dyk, Donovan
I think Ken has nailed it. I think the source addresses are spoofed so you reflect the connection (tcp syn ack) to those source addresses. Get enough of those connections and the server is dead. Since your port 21 is open telnet 109.72.248.114 21 Trying 109.72.248.114... Connected to 109.72.24

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Selphie Keller
lto:selphie.kel...@gmail.com] > *Sent:* November-01-16 1:13 PM > *To:* Emille Blanc > *Cc:* Ken Chase; Oleg A. Arkhangelsky; nanog@nanog.org > > *Subject:* Re: Syn flood to TCP port 21 from priveleged port (80) > > > > Does the synflood have tcp option headers? > > &g

RE: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Emille Blanc
Emille Blanc Cc: Ken Chase; Oleg A. Arkhangelsky; nanog@nanog.org Subject: Re: Syn flood to TCP port 21 from priveleged port (80) Does the synflood have tcp option headers? I am seeing this same activity at our forward observation system, however it's not showing any tcp options like mss,sa

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Selphie Keller
ur AS. > > Obligatory data should this be of use to anyone listening in. > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase > Sent: November-01-16 12:29 PM > To: Oleg A. Arkhangelsky > Cc: nanog@nanog.org > Subject: Re: Syn flo

RE: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Emille Blanc
- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase Sent: November-01-16 12:29 PM To: Oleg A. Arkhangelsky Cc: nanog@nanog.org Subject: Re: Syn flood to TCP port 21 from priveleged port (80) seeing an awful lot of port 80 hitting port 21. (Why would port 80 ever be used as source

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase
Not sure why reflected RSTs are the goal here, they're not much of an amplification to the original syn size. Additionally causing a mild dos of my clients' stuff when it begins throttling # of connections, ie noticeable. (not that i want to help scriptkids improve their attacks...). Im guessing p

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Ken Chase
seeing an awful lot of port 80 hitting port 21. (Why would port 80 ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering on and off as the service throttled itself at a couple client sites I manage. I see 540 unique source IPs hitting 32 destinations on my network in

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Oleg A . Arkhangelsky
01.11.2016, 22:06, "Eric Tykwinski" : > Oleg, > > I'm seeing the same to a single client here source IPs seem to be matching up > as well. > I attached a pcap, just so you can compare. > And the same sources: 141.138.128.0 - 141.138.135.255 194.73.173.0 - 194.73.173.127 95.131.184.0 - 95.131.1

Re: Syn flood to TCP port 21 from priveleged port (80)

2016-11-01 Thread Oleg A . Arkhangelsky
Hello, A couple of cuts from tcpdump output: 21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags [S], seq 1376379765, win 8192, length 0 21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags [S], seq 2254756684, win 8192, length 0 21:27:50.413927 IP 95.131.188.179.80 > 10