[Snort-users] help identifying packets from attack
Ing. Daniel Manrique
roadmr at ...5706...
Sun Sep 1 18:40:57 EDT 2002
What a great sunday it was, my network suffered a brutal attack that left
us basically disconnected for the better part of 2 hours (well, 80% packet
loss meant any attempts to contact the outside world were pretty futile).
the attack consisted of packets coming from a bunch of different IP
addresses, all targeted at the same IP address within my network (a
customer's server). Now, while the server itself managed to stay
responsive, the sheer amount of packets completely saturated our puny 256k
internet link and had the router's CPU working at 50% capacity (normal
range is below 5%). The link's saturation continued even after I blocked
traffic to the affected host at our main router; obviously, since even
though the router was denying packets, they still had to travel down the
link to reach the router and be denied; and the router denied close to a
million packets in the last 20 minutes of the attack.
Of course, during all this, before the router rules were in place, snort
found some strange packets (originating from loopback reserved addresses?)
and logged them. My IDS sits on the same LAN segment as the router's
ethernet interface and the victimized server's main ethernet interface.
They look like this (x.x.x.x stands for the targeted server's IP address,
everything else is unchanged):
09/01-18:34:51.447719 0:10:7B:BA:AA:F0 -> 0:60:8:C2:31:A0 type:0x800
127.56.80.150:6638 -> x.x.x.x:41260 TCP TTL:235 TOS:0x0 ID:48690
IpLen:20 DgmLen:40 DF
******S* Seq: 0x0 Ack: 0x4D52D622 Win: 0x62 TcpLen: 20
09/01-18:34:51.523402 0:10:7B:BA:AA:F0 -> 0:60:8:C2:31:A0 type:0x800
127.13.73.170:60921 -> x.x.x.x:41506 TCP TTL:235 TOS:0x0 ID:48936
IpLen:20 DgmLen:40 DF
******S* Seq: 0x0 Ack: 0x37075D9A Win: 0xB81A TcpLen: 20
They came from many many different addresses, and both origin and
destination ports also varied wildly.
Apparently they have no payload, only control information, and I'm
guessing the ******S* thing means something about SYN, which makes me
initially think it was a syn flood attack. However, that's as far as my
analysis skills go, and they might even be wrong; and I'd really like to
know more about this, so that I can, hopefully, do something to prevent
So, I'd appreciate help interpreting these packets, identifying what kind
of attack they belong to, and finding more information on how to
stop/prevent/detect the situation more accurately. Snort was helpful,
however apparently it had no way of knowing the packets were some sort of
attack; it only logged them because it thought loopback traffic looked
Thanks in advance for any/all help!
More information about the Snort-users