Syn flood to TCP port 21 from priveleged port (80)

Selphie Keller selphie.keller at gmail.com
Tue Nov 1 21:59:49 UTC 2016


Yeah it is an odd ball attack for sure, here is a 5000 packet sample of
what I was seeing in connection to this attack
https://mystagic.io/80to21.pcap , don't think it's the entire /0 for ftp
port as I am not seeing it on many other subnets, which is why I am
thinking someone did a pre-scan before conducting this wacky attack,
otherwise, I would have likely seen other port 21's seeing activity, but so
far any IP that didn't have 21 as an actual service isn't seeing the syn
packets. This could be unique to my location, others observing this attack
may be able to chime in and report what they are seeing if they seen 80 src
syn to port 21 where 21 isn't an actual ftp running. Yeah this is pretty
easy to filter.

On 1 November 2016 at 13:48, Ken Chase <math at sizone.org> wrote:

> Not sure why reflected RSTs are the goal here, they're not much of an
> amplification
> to the original syn size. Additionally causing a mild dos of my clients'
> stuff
> when it begins throttling # of connections, ie noticeable. (not that i
> want to
> help scriptkids improve their attacks...). Im guessing port 80 was chosen
> for improved
> fw piercing.
>
> Sure is widespread though, 5 clients on very different networks all seeing
> similar
> saturation. Someone has a nice complete prescanned list of open ftps for
> the
> entire internet out there (or are they just saturating the whole /0?)
>
> Easy to filter though:
>
> tcp and src port 80 and src net '(141.138.128.0/21 or 95.131.184.0/21)'
> and dst port 21
>
> Adapt for your fw rules of choice.
>
> /kc
>
>
> On Tue, Nov 01, 2016 at 07:39:40PM +0000, Van Dyk, Donovan said:
>   >I think Ken has nailed it. I think the source addresses are spoofed so
> you reflect the connection (tcp syn ack) to those source addresses. Get
> enough of those connections and the server is dead.
>   >
>   >Since your port 21 is open
>   >
>   >telnet 109.72.248.114 21
>   >Trying 109.72.248.114...
>   >Connected to 109.72.248.114.
>   >Escape character is '^]'.
>   >
>   >Your address was probably scanned and saw it could be used in the
> attack.
>   >
>   >Regards
>   >--
>   >Donovan Van Dyk
>   >
>   >SOC Network Engineer
>   >
>   >Office: +1.954.620.6002 x911
>   >
>   >Fort Lauderdale, FL USA
>   >
>   >
>   >
>   >
>   >The information contained in this electronic mail transmission and its
> attachments may be privileged and confidential and protected from
> disclosure. If the reader of this message is not the intended recipient (or
> an individual responsible for delivery of the message to such person), you
> are strictly prohibited from copying, disseminating or distributing this
> communication. If you have received this communication in error, please
> notify the sender immediately and destroy all electronic, paper or other
> versions.
>   >
>   >
>   >On 11/1/16, 3:29 PM, "Ken Chase" <math at sizone.org> wrote:
>   >
>   >    seeing an awful lot of port 80 hitting port 21. (Why would port 80
>   >    ever be used as source?). Also saw a buncha cpanel "FAILED: FTP"
> alerts flickering
>   >    on and off as the service throttled itself at a couple client sites
> I manage.
>   >
>   >    I see 540 unique source IPs hitting 32 destinations on my network
> in just 1000
>   >    packets dumped on one router.
>   >
>   >    All from multiple sequential registered /24s in whois, but all from
> one
>   >    management company:
>   >
>   >    141.138.128.0/21 and 95.131.184.0/21
>   >
>   >    role:           William Hill Network Services
>   >    abuse-mailbox:  networkservices at williamhill.co.uk
>   >    address:        Infrastructure Services 2 City Walk Sweet Street
> Leeds LS11 9AR
>   >
>   >    AS49061
>   >
>   >    course, synfloods can be spoofed... perhaps they're hoping for a
> retaliation
>   >    against WHNS.
>   >
>   >    /kc
>   >
>   >    On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
>   >      >Hello,
>   >      >
>   >      >A couple of cuts from tcpdump output:
>   >      >
>   >      >21:31:54.995170 IP 141.138.131.115.80 > 109.72.248.114.21: Flags
> [S], seq 1376379765, win 8192, length 0
>   >      >21:31:55.231925 IP 194.73.173.154.80 > 109.72.241.198.21: Flags
> [S], seq 2254756684, win 8192, length 0
>   >      >21:27:50.413927 IP 95.131.188.179.80 > 109.72.248.114.21: Flags
> [S], seq 3619475318, win 8192, length 0
>   >      >21:27:50.477014 IP 95.131.191.77.80 > 109.72.248.114.21: Flags
> [S], seq 2412690982, win 8192, length 0
>   >      >
>   >      >Does anyone seeing this right now (18:31 UTC)? I see this traffic
>   >      >on at least two completely independent ISPs near Moscow. The
>   >      >rate is about a few dozen PPS hitting all BGP-announced networks.
>   >      >
>   >      >--??
>   >      >wbr, Oleg.
>   >      >
>   >      >"Anarchy is about taking complete responsibility for yourself."
>   >      >?? ?? ?? Alan Moore.
>   >
> --
> Ken Chase - math at sizone.org Guelph Canada
>
>



More information about the NANOG mailing list