-3

If the purpose of a SYN Flood attack would be to make the target unresponsive to normal traffic, same as any other DoS, wouldn't this attack generally have been directed at a public server rather than a private user; what would be the thinking behind directing such an attack at a private user?

EDIT

The firewall in question, used in a secured home office, reported a series of SYN Flood matches on various requests coming in over a ten-second period. The IP and country of origin changed with every request, so appears (obviously) not to be a direct attack. This is the only network traffic recorded that appeared to be out of whack, and none of these IPs are showing up anywhere else in the log.

What methods of analysis can I use, outside of reviewing the firewall logs, to determine if/what was done by the malicious user before or after this attack?

Here is the log file, with obvious elements obscured. The only thing to note is that the IP changed with each request. This is a static IP, which is very closely watched. Marks the first time any traffic of this nature has been flagged over a period of 12 months through this firewall (a Cisco LRT214):

Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=12552 DF PROTO=TCP SPT=53687 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=12320 DF PROTO=TCP SPT=55785 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=26736 DF PROTO=TCP SPT=62637 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=32708 DF PROTO=TCP SPT=59263 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=28141 DF PROTO=TCP SPT=51584 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=11447 DF PROTO=TCP SPT=57275 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=19678 DF PROTO=TCP SPT=61655 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:01 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=117 ID=724 DF PROTO=TCP SPT=52191 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:03 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=17982 DF PROTO=TCP SPT=52394 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:03 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=1882 DF PROTO=TCP SPT=58462 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:03 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=2580 DF PROTO=TCP SPT=51861 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:03 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=5245 DF PROTO=TCP SPT=49869 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:04 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=25753 DF PROTO=TCP SPT=49344 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:04 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=12321 DF PROTO=TCP SPT=55785 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:04 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=27245 DF PROTO=TCP SPT=62637 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:04 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=106 ID=28957 DF PROTO=TCP SPT=51584 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:04 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=119 ID=11518 DF PROTO=TCP SPT=62886 DPT=13766 WINDOW=63443 RES=0x00 SYN URGP=0
Aug  8 14:08:05 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=24093 DF PROTO=TCP SPT=53653 DPT=13766 WINDOW=65535 RES=0x00 SYN URGP=0
Aug  8 14:08:10 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=12322 DF PROTO=TCP SPT=55785 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:10 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=28522 DF PROTO=TCP SPT=62637 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:10 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=5462 DF PROTO=TCP SPT=57172 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0
Aug  8 14:08:10 2015 [ROUTER NAME OBSCURED] kernel: #warn<4> Blocked - SYN Flood: IN=eth1 SRC=[REMOTE IP OBSCURED] DST=[LOCAL IP OBSCURED] LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=29794 DF PROTO=TCP SPT=51584 DPT=13766 WINDOW=8192 RES=0x00 SYN URGP=0

EDIT

Questions have been re-combined. Will someone please remove the duplicate (which I was specifically asked to separate as a second question, by board moderators, in the first place)?

Hmm, looks like not. Whatever.

M'vy
  • 13,033
  • 3
  • 47
  • 69
FurryWombat
  • 125
  • 5
  • 1
    You just posted a duplicate of your own question? Why not edit the other one? – ThoriumBR Aug 10 '15 at 14:57
  • 1
    The first paragraph is essentially the same between the two. – ThoriumBR Aug 10 '15 at 15:03
  • is this so called "private user" connected to the internet? – JOW Aug 10 '15 at 16:07
  • @ThoriumBR The question has been edited. JOW, if the machine was not connected to the Internet, I would be setting up gun turrets, not firewalls. The "private user" is me. – FurryWombat Aug 10 '15 at 19:58
  • 1
    @ACommonDev, you might setup gun turrets and then gift wrap them with lipstick, but there are three things that you assume wrong here. 1. a firewall is used to segregate networks, it doesn't always have to be connected to the internet. 2. why wouldn't anyone want to attack a private user, especially when u have gun turrets pointed at them. 3. this could be broadcast traffic. – JOW Aug 10 '15 at 20:48
  • @JOW Now we're talking! Okay. You are partially correct. Following a simple chain of logic, for starters, if the machine was not connected to the Internet we wouldn't be having this conversation. To your other points, 2) (and laugh), 3) WHOIS records for the 22 remote IPs checked provide locations which range from Bahamas to Paris. Whoever is doing this knows exactly what they are doing, and perhaps I'm putting on an aluminum foil hat here in saying this, but I am 100% confident that this was directed at me and me alone. – FurryWombat Aug 10 '15 at 20:56
  • @ACommonDev based on the comments in the [linked thread](http://security.stackexchange.com/questions/96460/syn-flood-attack-on-private-user-steps-for-post-analysis?noredirect=1#comment165919_96460), there are 22 destination addresses and 22 source addresses, do you use any of those 44 ip addresses in your internal network? – JOW Aug 10 '15 at 21:21
  • @JOW No, we do not. All of the IP locations, or most, appear to be residential in nature and dispersed throughout the globe. – FurryWombat Aug 10 '15 at 21:23
  • @JOW, to be clear, the destination IP is the same in every instance. It is the remote IP that is cycling. – FurryWombat Aug 10 '15 at 21:30
  • @ACommonDev this destination IP address, is it your public IP address? – JOW Aug 10 '15 at 21:42
  • @JOW Yes, it is. Or was. Static IP. Changed it yesterday. – FurryWombat Aug 10 '15 at 21:54

1 Answers1

0

  • I am ruling out multicast traffic as the source IPs seem to be available in the ip databases.

  • port 13766 is not a commonly used port, i could not find any software that uses this specific port. i really find it odd for someone to target this port.

  • This is NOT a SYN flood because it was only 22 packets per second. a real SYN flood will use thousands/ sec. Also why would anyone try to SYN flood a port that is not even used by a service.

  • this 22 requests / sec is not something that can choke your internet pipe either.

So, if this was a coincidence, then what caused it? frankly, i don't know. the below is what i can think of, out of experiance.

  • a routing problem with your ISP. most routing protocols take a few seconds to recover from a routing problem, usually packets will be dropped by the ISP's router, but with some technologies like MPLS, that may not always be the case.
Community
  • 1
JOW
  • 2,319
  • 2
  • 16
  • 24
  • Is it possible that this is a scan performed by a malicious user targeting recipients with known IPs on port 13766, possibly leveraged by malware delivered either via email (unlikely, and IPs would be unknown) or via HTTP download or client-side JS hack? Perhaps this theory would allow me to remove my aluminum foil hat and assume that I was one of many phished targets? Would this be more, or less, likely than a routing problem with our ISP? – FurryWombat Aug 11 '15 at 15:48
  • No, because if that is the case, then you would see someone trying to make just one or two connections periodically. – JOW Aug 12 '15 at 09:53
  • we are never going to know the real reason why this happened, are we? Are you confident that this could have truly been caused by a routing problem with my ISP? How would that explain source IPs from Paris, Bahamas, etc? Our ISP doesn't even have an office anywhere near Paris as far as I'm aware. – FurryWombat Aug 12 '15 at 13:51
  • maybe someone else might be able to explain why it happened, but i can't (based on the available info). But I am confident when i say that this is not some kindof DoS attempt. – JOW Aug 12 '15 at 15:39
  • 1
    I don't think it is either at this point but is likely to be a malicious action of some kind. Not much we can do except change the IP and implement a proxy of some kind to prevent this sort of thing moving forward. – FurryWombat Aug 12 '15 at 16:04