From the front line
A number of sites have been seeing unusual SYN-ACK traffic coming from port 80,
that at first glance appears to be backscatter from a DDoS attack. A closer look
leaves us slightly puzzled. Note: these logs have been sanitized to protect the
guilty and the innocent.
Some unusual patterns that a number of us have picked up on from the traffic:
- Different combinations of the TCP reserved / ECN (Explicit Congestion
Notification) flags set. If these were valid ECN SYN-ACKS, they would have
only the SYN, ACK, and ECN-ECHO flags set.
- The TCP Window size is maxed out on all the packets
- Sequence numbers have definite pattern of repeating 2 bytes
(4 hex characters), examples:
This is unusual, as these sequence numbers are coming from a host that initially
you assume is suffering a DDoS attack. Has anyone seen this traffic? Got packets?
Handler on Duty: Mike Poor <mike .at. intelguardians.com>
May 8th 2004
1 decade ago