![[info]](http://l-stat.livejournal.com/img/userinfo.gif?v=92.2){kind=small}
angry WTF!?
The attack on my webserver is a professional one! And the longest one ever experienced by my Internet Service Provider (ISP). Which is totally nuts because it's one of the biggest ISPs in Europe!
It's a DDoS SYN-Flood attack (Distributed Denial of Service - SYN-Flood) and works like this:
DDoS: Several Computers Worldwide get hacked by a hacker who then infects them with a program that does nothing else but attacking our server without the owner of the infected hacking computer noticing. We're talking about insane numbers of hacked computers worldwide here. Those computers start a
SYN-Flood attack on our server: To establish an internet connection between 2 PCs (client and webserver [http], client and mailserver, 2 computers communicating with messengers, 2 computers communicating with filesharing tools, .......) using the TCP protocol (very common. for simple messages without any sort of connection and delivery control the alternative is UDP) those PCs need to run through a handshake procedure.
The 3-way-handshake-protocol of TCP: The computer that wants to connect sends a SYN (synchronize) message containing a random number to the other computer. That other computer now responds with a SYN/ACK (synchronize/acknowledged) message containing an own random number for the SYN and the number it received + 1 for the ACK. Now the 1st computer has to respond with an ACK containing the sent random number + 1. Or an RST (reset connection) or FIN (terminate connection). Since the connection only becomes established, confirmed and controllable after that last step there is no way to know whether the 1st computer received the SYN/ACK. So as long as the server doesn't receive an ACK, RST or FIN it has to assume the SYN/ACK timed out and send it over and over again. Resulting in a huge memory leak due to many server processes for all the connections, heavy CPU load because of all the connections and huge amounts of datatraffic. Which basically results in the server not being able to offer its services and generating lots of expensive datatraffic. Just imagine running 60.000ish programs on your computer. Same effect.
The program the hacker has distributed on his hacked computers only sends the first SYN but then doesn't do anything else, which requires quite some programming skills because usually the handshaking is done by the operating system.
Sooo now you all know what's happening. A professional hacker has been running a worldwide DDoS SYN-Flood attack targeted on our server for the longest timespan our huge european ISP has ever experienced.
Deleted comment
September 3 2005, 11:38:25 UTC 6 years ago
The attacker will most probably have used an internet cafe or open wireless LAN. Which means - The attacker is most probably untraceable.
Deleted comment
September 3 2005, 13:50:50 UTC 6 years ago