A lethal Denial of service attack.
I know exactly what it is, how it was done, what was used, but I need help on preventing it.
What is being used is called juno-z.101f.c. It runs on *nix based os's.
Juno-z.101f.c is an improved rewrite of juno.c which is faster and better, employing state of the art tcp technologies.
Here is what is written in the beginning of the c source code.
* this is a rewrite of the juno.c syn flooder, some notable improvements:
- faster packet creation (about 4x faster), although the kernel does most
of the work, so don't expect 4x as much output. The speed is partially
due to a new checksum technique that I've created, that is, to use a
16-bit sum counter, and use add-with-carry ops on it, instead of using
a 32-bit counter, then a double-fold at the end. The routine also adds
in fields of the tcp header and pseudo header as it sets up the packet.
This is an improvement over the standard method which is to prep the
packet and then sum it in a completely separate series of operations.
- "sane" source ips, they only come from legitimate class A's, they never
come from the same class as the target, and they never end in 0 or 255
- some packet forgery problems fixed, they should look very much like
an ms-windows system created them now, thus preventing tcp-sanity filters
- now multithreaded, uses up to 16 threads for max output on SMP systems
- better delay processing, no longer limited to 1/100th of a second,
now does up to 1/1000000000th of a second
- now uses direct system calls, thus saving the time to bounce through
library routines. This also eliminates the need for using .h files,
should now compile and run on fbsd with linux portability in the kernel
- performance lists (on program exit) fixed, juno.c and old juno-z.c files
used 1 second timing, this version uses 1/1000000th of a second */
--------------------------------------------------------
I tested this dos attack on myself, i put up iplog on my server, i selected port 80 as the destination port, and this is what i received on iplog.
Jun 5 06:55:10 TCP: www connection attempt from 216.75.156.248:1138
Jun 5 06:55:10 TCP: www connection attempt from 211.61.23.237:1044
Jun 5 06:55:10 TCP: www connection attempt from 24.75.157.249:1048
Jun 5 06:55:38 TCP: www connection attempt from 199.54.138.68:1229
Jun 5 06:55:39 TCP: www connection attempt from 128.245.250.105:1050
Jun 5 06:55:39 TCP: www connection attempt from 202.249.67.39:1053
Jun 5 06:55:39 TCP: www connection attempt from 193.234.177.1:1092
Jun 5 06:55:39 TCP: www connection attempt from soulside.com.criticalpath.net (209.228.156.220):1101
Jun 5 06:55:45 TCP: www connection attempt from 198.78.238.214:1076
Jun 5 06:55:45 TCP: www connection attempt from 194.202.16.63:1053
While this was going on, i could not connect to any websites on my machine, that were binded on port 80. (Most are)
Even after i stopped, i still couldn't. Also, i ran this attack for a max 10 seconds. There has to be some sort of prevention, in the previous version of juno, the way it attacked you was random ips, with the same source port. :1024, and :3072. It was easy to block that, just block all incoming connections, with the src port 1024 and 3072. But this one is different, its an improved version.
If anyone has any idea what I can do to have this stopped, or a comment, please post a reply.
thanks
