Re: strange mail connections

Looks to me as a TCP SYN attack with spoofed
IPs.

This can be done with only 1 host with a powerful
connections to Internet, but these ususally create
"half connected" TCP connections.

If the connections you are seeing are completed
with the normal TCP handshake (SYN, SYN/ACK, ACK),
maybe you are seeing real TCP connections from alot
of compromised hosts.

Maybe you can install a sniffer like tcpdump (or windump
for win) and catch some packets.

I can help analysing results.

Have a nice day

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau


----- Original Message ----- 
From: "lola marais" <lola_marais@xxxxxxxxxxx>
To: <intrusions@xxxxxxxxxxxxxx>
Sent: Thursday, May 13, 2004 4:39 PM
Subject: [Intrusions] strange mail connections


> We have the strangest thing happening in our network.
>
> The one incoming mail server is receiving zillions of full TCP connections
> from IP addresses that should not normally connect directly to the email
> server. The connection is past to the upper session layers as SMTP
> connections. The connections are established but "no message data" is
> present or sent in the packet.
>
> The volume/amount of these connections is causing degradation of the
server
> in that it fills the smtp connection table thus not allowing new
> connections.
>
> Is there a new/old attack that could be doing this?
>
> _________________________________________________________________
> Need more storage? Upgrade to suit your needs - from 10 MB to 100 MB!
> http://join.msn.com/?pgmarket=en-xe
>
> _______________________________________________
> Intrusions mailing list
> Intrusions@xxxxxxxxxxxxxx
> http://www.dshield.org/mailman/listinfo/intrusions
>

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions