Random IP/Port spoofer

Tellox · 20-08-2003 10:14pm #1

Right,Im fairly sure of whose behind it, but all Im caring about right now is stopping it.

a random ip/port is constantly spoofing me
TCP Tellox:3757 193.209.109.164:epmap SYN_SENT
TCP Tellox:3758 193.209.109.165:epmap SYN_SENT
TCP Tellox:3759 193.209.109.166:epmap SYN_SENT
TCP Tellox:3760 193.209.109.167:epmap SYN_SENT
TCP Tellox:3761 193.209.109.168:epmap SYN_SENT

ect

today,its been mainly an italian collage IP, yesterday, it was an american military IP (and im awful close to emailing abuse@army.mil about it,just to see if anything becomes of it)

The thought of it being a virus spoofing me was gone when I d/c'd and netstat'd again, But the instant I reconnected, I was being spoofed again.

This has been going on for a good 7 or so hours so far today, and seeing as Im behind a permenant IP (DSL) , I cant simply reconnect to solve the problem.

I thought of a firewall, but the entire ip is constantly changing, and the last time I emailed esat about a thing like this,I received no response.

Anybody got any ideas on what I can do?

Gavin · 21-08-2003 9:22am

The firewall should be smart enough to cop on that it's a syn attack from one person.

What dsl are you using, not all are permanent IP's.

Gav

Sleipnir · 21-08-2003 9:33am

any firewall worth it's salt should stop this. It's a pretty old type of attack.
I would email that army addy with the IP and all the information you've been receiving from it. Although normally it's a spoofed IP address not in use on the Internet.
Run
netstat -n -p tcp
Look at the output for entries in a state of SYN_RECEIVED. If you notice multiple entries, your system is vulnerable to attack.

Best to use a firewall but you can change windows to protect yourself against DoS attacks so that syn requests time out quicker.
to enable this, read below. Back up registry first!

Run regedit
goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey.
From the Edit menu, select New, DWORD Value.
Enter the name SynAttackProtect, then press Enter.
Double-click the new value, set it to 2, then click OK.
Close the registry editor.
Reboot the machine.

default value is 0, which offers no protection.
value of 1 limits the number of SYN retries and delays the route cache entry when the maximum number of open TCP connections (i.e., the connections in the SYN_RECEIVED state known as TcpMaxHalfOpen) and retries (i.e., TcpMaxHalfOpenRetried) has been met.
When SynAttackProtect has a value of 2, the effect is similar to when the value is set to 1 but includes a delayed Winsock notification until the three-way handshake involved in the SYN process is complete. Because Windows invokes the SynAttackProtect value only after the system exceeds the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values, I recommend that you also create the TcpMaxHalfOpen and TcpMaxHalfOpenRetried values under the same registry key (both DWORD values) and set them to 100 and 80, respectively.

Tellox · 21-08-2003 10:31pm

Kan, I've just taken your advise, and it hasnt stopped any of the attacks...

once again,the second I connected, they were off again

Cake Fiend · 23-08-2003 2:42pm

Unless you're getting an overwhelming stream of SYN packets, I doubt it's a deliberate SYN flood attempt. Judging by the fact that they're repeatedly trying to connect through the epmap port, I'd imagine that network is a load of NT-based systems that have been infected by the msblast worm and are scanning for potential victims. Your IP could very possibly be on a list of machines that are replying to requests to the RPC server. A lot of our XP and 2K machines in Net House are getting these connection attempts, but are invulnerable as they were patched long ago. Unless these attempted attacks are affecting your connection (and presuming you've patched the RPC bug on your machine) I wouldn't worry about it tbh.

Random IP/Port spoofer

Comments