False SYN attacks?
Hank Nussbacher
hank at ibm.net.il
Sun Nov 3 08:51:31 UTC 1996
I am curious if other sites have had similar false SYN attacks (this one
was reported by BBN and SI.NET to us). Here is the report from the
offending site:
-------------------------------------------------
As a result of a potential SYN attack that was reported to us and that
may have originated from NCC, NCC has held an inquiry with a team lead
by myself and including the NC VP for technology, and the NCC Ssytem
Administrator and security officer.
The Inquiry has found the following facts:
NCC Internet connection for all NCC employess relys on a Microsoft Proxy
Server code named CataPult (Beta Release) Which runs on an NT machine.
It was only installed at NCC several days ago. The product has what it
defines as a smart cache which decides itself to go fetch via HTTP
updates of information on the Internet according to URL addresses it
finds in its cache (which are more likely to be visited once again).
This in theory provides improved performance for users browsing the
Internet.
The default update frequency value in this Beta release was set by
Microsoft to be way too low ( a matter of seconds).Once a certain site
in the cache is too busy and the Proxy Server fails to make the
connection (like in this case when www.wellsfargo.com failed with cause
10060 connection timeout), the Proxy tries again. It is easy to
distinguish on the log between a connection request made by a uset via
a connection attempt made by CataPult Proxy Server.
We are attaching two files which are the log that shows all activity on
Oct 24th (file a.a) and all specific connection attampts to wells
fargo(file b.b).
We did chnage the timoout for this retry attempt to be much higher than
the 1 minute value that was configured by default by Microsoft.
--------------------------------------------------------------
Have other sites been using Catapault and seeing this problem?
Hank
More information about the NANOG
mailing list