URGENT: denial of service

• To: www-security@ns2.rutgers.edu
• Subject: URGENT: denial of service
• From: jmcphail <jmcphail@kcstar.com>
• Date: Thu, 4 Apr 1996 23:32:29 -0600 (CST)

Today was the launch of our shiny new web site. By 10:30am we had a 
persistent denial-of-service attack occuring.

We used these methods to find it:

1. TCPdump indicated win/ack pairs many times per second.

2. a LanPharoah network monitor indicated repeated port-scanning activity.

3. netstat revealed many sockets in SYN_WAIT state.

4. the server was unable to serve pages while lightly loaded (0.68!)

After we found it we installed a router packet-filter rule (now known as 
the GOOB filter) denying the entire range of IP's from this host.

Later we took the filter rule off, and the attack commenced again.

I was unable to ping, trace, or nslookup the host that attacked us. 

Is this the (in)famous "port stuck half-open" attack? How can I defeat 
this? I also found many "connection-refused" messages in syslog from the 
various wrappers I've installed. 

I've filed this incident with CERT, and I'm trying to find ways to 
eliminate the attack. With the filter rule we applied, nobody from the 
Class C he's in can access our pages, plus if the attacker is 
sophisticated the IP will change. I've contacted the administrator of the 
B license the attack came from, and was told he would "take a look."

Any suggestions are greatly appreciated. 

If you prefer to respond via e-mail, please respond to the address below:

-John ( jmcphail@mail.kcstar.com )

• Re: URGENT: denial of service
• From: hickey@ctron.com

• Previous: Re: Is password good enough?
• Next: Message from ARNOLD at CLTVM1
• Index(es):
  • Index
  • Thread