From bejtlich@texas.net Sun Jul 16 01:42:48 2000
Date: Tue, 28 Mar 2000 21:06:46 -0600
Subject: SYN flood tool using ACK 674711609
From: Richard and Amy Bejtlich <bejtlich@texas.net>
To: intrusion@sans.org
Cc: sn0rthc@aol.com, j0hngr33n@aol.com, jnovak@jasi.com,
     Mark Shaw <mark.shaw@capitalone.com>, dittrich@cac.washington.edu,
     neil.long@computing-services.oxford.ac.uk,
     robert.visscher@sorta.kelly.af.mil, martin.schlacter@sorta.kelly.af.mil

Hello all,

For over a year we have seen events containing SYN ACK 674711610 and RST ACK
674711610 packets, which I and others theorized were third party SYN flood
effects.  I happened to read the following section of the arachNIDS database
today:

https://dev.whitehats.com/cgi/test/new.pl/Show?_id=ids252&sort=TIME&search=

which quoted an analysis of the "shaft" DoS tool, written by Sven Dietrich,
Neil Long, and Dave Dittrich:

https://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt

Namely,

"alert TCP $EXTERNAL :1024 -> $INTERNAL any (msg:
"IDS252/ddos-shaft-synflood-incoming"; flags: S; seq: 674711609;)"

and

"...and looking for TCP packets with sequence numbers of 0x28374839 may
locate the TCP SYN packet flood traffic."

0x28374839 is 674711609 in decimal!

This is consistent with our observations.  A SYN packet with sequence number
674711609 would produce a SYN ACK 674711610 or RST ACK 674711610 packet,
depending on the state of the target port.  While I do not know the age of
the shaft SYN flood code, I find it exciting that we have identified at
least ONE tool which will produce the third party SYN flood effects we have
been seeing!  Thanks for the analysis, Sven, Neil, and Dave!

Enjoy,

Richard