HELP-How to kill a SYN Flood at the source-hijacked systems

Question

Level 4

3,423 points

HELP-How to kill a SYN Flood at the source-hijacked systems

I've found out from our IT department that two of our computers (running 10.4.2 & 10.2.8) in the same building have been port blocked because they were attacking another IP, (the same one actually). I've only been able to find information on how to combat the problem from a server standpoint. My question (with some UNIX experience as a System Support Tech) is what do I look for and how do I clean the infected machines?

The 10.4.2 has the firewall active with only the ARD and Network Time ports open (besides the hidden defaults). Considering that these two computers are used by the same staff group is it possible that this attack was triggered by a web browser security hole? (we are checkin to see if others have this problem in the building to see if it came from an internal source or not)

Posted on Oct 25, 2005 9:17 AM

Reply

Answer 1

ziggy29

Level 2

290 points

Oct 25, 2005 9:23 AM in response to J D Knight III

One piece of software you may want to look into is Intego's NetBarrier:

http://www.intego.com/netbarrier/

According to the product literature, it protects machines from malicious incoming and outgoing network data including SYN floods.

(I've never used the software, so I can't give a review -- but just thought you'd like to know something is out there.)

Reply

Answer 2

Oct 25, 2005 9:45 AM in response to J D Knight III

I've found out from our IT department that two of our computers (running 10.4.2 & 10.2.8) in the same building have been port blocked because they were attacking another IP, (the same one actually

Have your IT department define 'attacked.' How many packets, attempting to connect from what port to what port ?

Log on to the 'attacking computers' and run tcpdump, see what traffic they are generating. Look at activity monitor, see what processes are running.

You need more information before you can do anything besides unplug the network from the attacking comuters.

Reply

Answer 3

J D Knight III Author

Level 4

3,423 points

Oct 26, 2005 8:36 AM in response to chairman rod

The block was automatically triggered by the firewall. Looking at the tcp dump showed nothing to that address. I'm guessing that restarting the machine cleared the offending traffic? I don't know all of the
i normal
processes that are legit, but I didn't see any that screamed strange. Trying to get to checking on what is good and bad.

Reply

Answer 4

Oct 27, 2005 2:29 AM in response to J D Knight III

Hi,

I have the same problem and we could not see anything abnormal from the tcpdump on the Mac. ???

Christophe

Reply

Answer 5

Oct 27, 2005 12:49 PM in response to Christophe THEVIGNOT

And what was in the firewall log files ? What kind of firewall/appliance ? What kind of configuration, etc...

Can't draw any conclusions with only half the evidence....

Reply

Answer 6

J D Knight III Author

Level 4

3,423 points

Oct 27, 2005 1:28 PM in response to chairman rod

Well, all we got from IT was that it was chewing up bandwidth. There is nothing in tcpdump nor any funky processes in Activity Monitor (finally got a chance to go thru all).

So from what I can find on SYN Flood (since all data is server-centric) is that a sends instructions or half packet to the unknown/soon to be attacking system that pretends to be a intended target computer and thus starts the loop if you will for the attack. I don't know that anything was actually installed/infected on the machine and that the restart cleared the tcp process. Is this thinking correct?

Reply

Answer 7

Oct 27, 2005 2:18 PM in response to J D Knight III

b Well, all we got from IT was that it was chewing up bandwidth.

That's not much help.

Your understanding of a syn flood is close enough. But a syn flood doesn't (necessarily) mean chewing up bandwidth. It exhausts resources on the target. So perhaps your IT department doesn't have the sharpest pencils in box...I will avoid ranting about IT deptarments here 🙂

Perhaps you could get them to tell you the destination port all your traffic was going to ? That could help narrow down possible culprits on your end.

I guess, if there was some type of issue causing the 'attacking' machines to spew packets, rebooting certainly could have killed it. Anything stand out in the logs on those machines ? Crashed processes running amok or something ?

Reply

Answer 8

J D Knight III Author

Level 4

3,423 points

Oct 28, 2005 12:22 PM in response to chairman rod

They (IT) had an automatic message from the firewall that reported MAC address xx was attacking IP xx with SYN Flood and has been filtered. Check the machine. On talking with them they said it was eating bandwidth going out. They couldn't give a port number. As far as competency... my boss/co-worker has more server/network certifications than anyone who works with that equipment (university wide)... the sharpest pencil thing is not far off, nor is it unknown to themselves.

After going thru the logs I didn't find a thing. So, I'm guessing it is ok now.

Funny thing is that other than the university web, the only site I've been to hit was gm.com. So much for their block!

Reply