[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sidewinder
Subject:    RE: [Sidewinder] Possible stealth connection attack
From:       sidewinder-admin () adeptech ! com
Date:       2003-03-02 23:12:50
[Download RAW message or body]

My guess is that these are probably innocuous, and represent browsers
killing connections with RST after sending SYN, but no data transfer begins.

We see something else curious on one of our addresses -- attempts to send
our DNS server a packet before a SYN (possibly even a fragment) about 6 to
10 of these a day, all from bt.net .

JRJ

-----Original Message-----
From: sidewinder-admin@adeptech.com
[mailto:sidewinder-admin@adeptech.com]
Sent: Sunday, March 02, 2003 11:00 AM
To: sidewinder@adeptech.com
Subject: Sidewinder digest, Vol 1 #323 - 1 msg

Message: 1
Date: Sun, 02 Mar 2003 02:30:34 -0800
To: sidewinder@adeptech.com
Subject: RE: [Sidewinder] Possible stealth connection attack
Cc: <sidewinder@adeptech.com>
From: sidewinder-admin@adeptech.com
Reply-To: sidewinder@adeptech.com

We have seen lots of these alerts in our logs, and after running it down 
most all seem to be related to people browsing through our reverse web 
proxy (squid). It looks like an ip browses successfully for quite a while, 
and then for whatever reason at the end of their browsing they generate one 
of these alerts.

By lots of these alerts I mean in one day we get about 200 of them, and out 
web site only gets about 35,000 hits a day. We run 5.2.1.07

These alerts come in two flavors in my experience, and all relate to our 
web proxy:

Less Frequent example:
srcport: 29816 dstport: 80 srcburb: 1
information: Possible connection attack; RST with no data transfer

More frequent example:
srcport: 37005 dstport: 80 srcburb: 1
information: Possible stealth connection attack

Not sure if that helps.

Jeff Moss

_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic