We are getting DDOs'ed with a very low volume but still consistent attack ( thousands of IPs per minute, all over the world ) on our smtp server. The problem is that these connections look like a syn flood but with two acks - I don't know how to describe it, but I have some tcpdump logs below. First example is an actual attack on our port 465, second one is a regular connection that connects properly.
Has anyone seen anything like this before ?
DDOS CONNECTION:
17:40:36.197973 IP 177.239.76.125.62242 > my_local_server.465: Flags [S], seq 854619169, win 8192, options [mss 1412,nop,wscale 8,nop,nop,sackOK], length 0
17:40:36.198027 IP my_local_server.465 > 177.239.76.125.62242: Flags [S.], seq 3888728441, ack 854619170, win 65535, options [mss 1412,nop,wscale 6,sackOK,eol], length 0
17:40:36.354866 IP 177.239.76.125.62242 > my_local_server.465: Flags [.], ack 1, win 259, length 0
17:40:41.351841 IP my_local_server.465 > 177.239.76.125.62242: Flags [.], ack 1, win 1036, length 0
17:40:41.479040 IP 177.239.76.125.62242 > my_local_server.465: Flags [.], ack 1, win 259, length 0
REGULAR CONNECTION:
17:43:09.995356 IP good_client.34751 > my_local_server.465: Flags [S], seq 912247919, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13408412 ecr 0], length 0
17:43:09.995434 IP my_local_server.465 > good_client.34751: Flags [S.], seq 2057029005, ack 912247920, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3231091032 ecr 13408412], length 0
17:43:09.995794 IP good_client.34751 > my_local_server.465: Flags [.], ack 1, win 1026, options [nop,nop,TS val 13408412 ecr 3231091032], length 0
17:43:09.996006 IP good_client.34751 > my_local_server.465: Flags [P.], seq 1:308, ack 1, win 1026, options [nop,nop,TS val 13408412 ecr 3231091032], length 307
17:43:09.997766 IP my_local_server.465 > good_client.34751: Flags [.], seq 1:1449, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1448
17:43:09.997780 IP my_local_server.465 > good_client.34751: Flags [.], seq 1449:2897, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1448
17:43:09.997790 IP my_local_server.465 > good_client.34751: Flags [P.], seq 2897:4097, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1200
17:43:09.997831 IP my_local_server.465 > good_client.34751: Flags [.], seq 4097:5545, ack 308, win 1026, options [nop,nop,TS val 3231091032 ecr 13408412], length 1448
17:43:09.998608 IP good_client.34751 > my_local_server.465: Flags [.], ack 2897, win 1003, options [nop,nop,TS val 13408412 ecr 3231091032], length 0
17:43:09.998876 IP good_client.34751 > my_local_server.465: Flags [.], ack 5545, win 1003, options [nop,nop,TS val 13408412 ecr 3231091032], length 0
No comments:
Post a Comment