daknetworks.com

In my article FIND COMPUTER ON NETWORK THAT IS SENDING OUT SPAM WITH SONICWALL, I indicate that the logs show the following:

This indicates that there is a SYN FLOODING MACHINE going at the rate of 1001 items per second. Wow! That's a lot. You can also see above that the DESTINATION is port 25. You can see that by the colon twenty-five (:25).

But what's a SYN FLOODING MACHINE?

A SYN FLOODING MACHINE is a zombie machine participating in a DDOS attack. Uh-oh. Yup... Users. They weak point of all security systems.

A SYN FLOOD ATTACK directs packets to a listening TCP port on a victim server; typically a web server (port 80), an FTP server (port 21) or a mail server (port 25).

When a server receives a SYN packet it returns an ACK packet to the client to acknowledge it received the inital packet. More or less:

"Hi" the visitor said.

"How are you?" the host replied.

The problem is that the visitor never acknowledges with a "Just fine."

Until the visitor acknowledges the reply, the host server will keep that connection open until timeout. This is typically 75 seconds. Staring for 75 seconds.

If you've ever run a server before, you should know that the number of connections is finite. In QPSMTPD, this connection limit is set for an overall connection limit (default 40) {config setprop qpsmtpd Instances xx} and a limit per IP ADDRESS (default 5) {config setprop qpsmtpd InstancesPerIP xx}.

Once those connections are all used up, no more connections can be made.

So, in our logs above, our bad client machine on our network was sending about 1000 connections per second to the victim 66.236.42.7 which happens to be owned by XO COMMUNICATIONS and leased by the SAN DIEGO SOURCE EMAIL SERVER secondary connection, mx2.sddt.com (priority 20).

mx1.sddt.com (priority 10) & mx3.sddt.com (priority 30) were not affected.