Fourmilog: None Dare Call It Reason

« Reading List: The Abolition of Britain | Main | Reading List: The Book Nobody Read »

Sunday, November 27, 2005

Internet Slum: Bizarre Denial of Service Attack--or Something

When testing the new firewall last night, I noticed an average of more than one packet per second dropped by the firewall due to bad TCP connection state--for example receiving an ACK before a SYN (for as we know, all live TCP connections are born in original SYN). These were coming from a limited number of IP addresses, over and over in bursts. Today I ran those IP addresses against the HTTP server log and discovered that they were all requesting a small number of monthly status files within the Webalizer output document tree. Each IP address requested the same file over and over, but the precise file requested within the directory differed among the IP addresses. The referrers specified in the HTTP requests were all spam or pornographic sites, but if you look at those pages (yuck!), they contain no link to the page which is being requested, nor any JavaScript which looks to me like it could be responsible for the requests. I scanned the HTTP log for yesterday and found more than 21000 requests for these files, and that was a light day because the log from the hour spent running on the new firewall had not been merged into the log I examined. As the files being requested are all in excess of 100K, this is a substantial amount of wasted bandwidth. As with the previous denial of service attack, none of the IP addresses which requested these pages ever requested anything else. I suspect that the reason for the malformed TCP sessions reported by the firewall is that they're blasting in requests so fast (I've seen up to 23 in a five second period), that they're violating the TCP connection set-up/tear-down protocol--in any case, the IP addresses responsible for the firewall warnings were precisely those which accounted for the largest number of requests in the log.

I set up a lightweight version of the Gardol program I wrote back in the big attack in 2004 (yes, the documentation isn't finished; the nature of these attacks is such that you don't have a lot of time to abstergify and document code when you're going flat-out trying to figure out what's going on and devise a way to respond to it) and found that when you drop packets from these guys they still keep on trying. One site, located in the Ukraine based on the IP address, tried almost 60,000 times in the first two hours after Gardol started dropping its packets with iptables.

It is atypical that the heavy hitter sites appear to be Unix boxes--most are running SSHD and FTPD. Others, however, are not. Of course it's possible the Unix boxes are firewalls with Windows machines hiding behind their IP address. Of the IP addresses which have made more than 25 consecutive identical requests for the same Webalizer status file (which I'm using as the signature for the attack), four are located in Korea, and one each in the U.S., Ukraine, and Russia. As these are all prime havens for spammers, that reinforces the evidence from the referrer URLs that this has something to do with spam, although I cannot imagine what.

Whatever, it isn't just me they're hitting. I searched Google for these IP addresses and file names, and found Webalizer pages showing tens of thousands of hits from them on sites in Japan, Spain, The Netherlands, and Russia among others. As usual, I have no clue what is going on, but at least I'm now confident it isn't a problem with the new firewall. The Internet may be a slum, but as Loudon Wainwright III sang of New York City in Talking Big Apple '75, "it ain't boring".

Posted at November 27, 2005 20:41