Notes from SYN flood attack of 2011.02.

It might be incorrect to even call it a "SYN FLOOD" attack, perhaps it should be called a "SYN TRICKLE" attack because the packet rate was never very high.

However, since I was still working on the basic iptables rule set, the attack was noticed immediately. And since I did not want to pollute my logs files with information from this attack, it was desireable to identify the attack packets and deal with them. In the end the packets were still logged, but with a different identifier string so as to be separable from other information via "grep" commands.
Now, it is important to know that the source IP address is most likely forged, and so adding a iptables rule based on IP address, or even IP address range is unlikely to completley handle the issue.
However, in this case the TCP window size was always the same and absolute TCP sequence number was always the same. Furthermore, that particular TCP window size had never appeared before. So, it seemed reasonable to identify and drop packets based on TCP window size. The iptables code fragment:

# Attack of 2011.02 always had same TCP window size (TOS offset = 6 (TCP=6), Window size offset = 32)
$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0xF0FA" -j LOG --log-prefix "BADZ:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m u32 --u32 "6&0xFF=0x6 && 32&0xFFFF=0xF0FA" -j DROP

I have not determined if this was just a distraction while some real threat was attempted. It is interesting to note that the last similar attack was 2007.08.11 and I just posted to some forums a few days ago, having not done so for many years prior.

2011.02.20 19:43:34 Begin: Main forged source address sub-net: 203.81.XXX.YYY
2011.02.21 02:51:24 End:
2011.02.21 17:34:?? Begin again: 203.81.XXX.YYY; 114.134.83.YYY
2011.02.22 10:47:06 End (except for a few at 13:30)
2011.02.23 18:31:20 Beging again: 203.81.XXX.YYY; 114.134.83.YYY; and several others
2011.02.24 10:03:01 End:
2011.02.24 21:04:05 Single packet.
2011.02.25 00:24:17 Begin again, but only 8 packets total.
2011.02.25 03:03:53 End:
2011.02.25 And onwards, single packets, typically between about 17:00 and 08:00 the next morning (local time).

Example output from sudo "iptables -v -x -n -L" command:

pkts bytes target prot opt in    out source     destination
 9   432   LOG    all  --  eth1  *  u32 0x6&0xff=0x6&&0x20&0xffff=0xf0fa LOG flags 0 level 6 prefix `BADZ:'
 9   432   DROP   all  --  eth1  *  u32 0x6&0xff=0x6&&0x20&0xffff=0xf0fa

Over the next few weeks there were isolated packets. It is likely that the source IP address is not forged for these packets:

Mar  7 20:31:33 doug-64 kernel: [967631.214607] BADZ:IN=eth1 SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=244 ID=17767 DF PROTO=TCP SPT=62477 DPT=80 WINDOW=61690 RES=0x00 SYN URGP=0
Mar  7 00:36:02 doug-64 kernel: [895899.714021] BADZ:IN=eth1 SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=244 ID=17767 DF PROTO=TCP SPT=38736 DPT=80 WINDOW=61690 RES=0x00 SYN URGP=0

For reference, all related syslog entries, since the addition of the above rule (as an edited text file).

For reference, all related packets (as an edited text file).

Notes from SYN flood attack of 2011.02. 2011.02.24 Updated 2011.03.09