[Gllug] Under attack from Russia
Robert McKay
robert at mckay.com
Thu Aug 27 00:34:25 UTC 2009
On Thu, Aug 27, 2009 at 12:11 AM, Alain Williams <addw at phcomp.co.uk> wrote:
> My web server (bytemark VM) is exeriencing a SYN flood attack from a site
> in Russia.
> This is where they send the TCP SYN packet but then ignore the reply from
> my machine.
> The packets all come from 193.169.4.X & 193.169.5.X, where X is incremented
> 0..255.
> There is nothing in the Apache log files for this.
>
>
[snip]
193.169.4.0/23 is not routed at the moment. It is unlikely that the syn
flood is really coming from there. Most likely someone is spoofing the SYN
packets. Unfortunately this could be coming from anywhere.. the only way to
trace it is interface by interface ISP by ISP. It will probably be quite
difficult to get cooperation from all the ISPs to do this.
Interestingly, my machine has recently been involved with an attack against
193.169.4.0/23 using DNS. Basically someone is spoofing DNS queries to my
nameserver for . (ie: the root zone) NS (nameserver records) from random IPs
in 193.169.4.0/23 and I'm sending replies to that network. Actually the
reply I'm sending is "query refused", but it was still sending that.
Probably they are doing this on a large scale and that is also quite
possibly why the route has been withdrawn (to prevent flooding their inbound
links from all the people trying to reply to requests supposedly from them).
It's probably that your SYNACKs (replies to the SYN) were also being used as
a flood against 193.169.4.0/23 - although it's not an amplification attack
it makes it very hard for them to track the original source of the flood.
I certainly have no idea who's doing this or why, but 193.169.4.0/23 are the
victims here not the aggressors.
Rob.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20090827/a34ced57/attachment.html>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list