North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

False SYN attacks?

  • From: Hank Nussbacher
  • Date: Sun Nov 03 12:19:05 1996

I am curious if other sites have had similar false SYN attacks (this one 
was reported by BBN and SI.NET to us).  Here is the report from the
offending site:

As  a result of a potential SYN attack that was reported to us and  that 
may have originated from NCC, NCC has held an inquiry with a team lead 
by myself  and including the NC VP for  technology, and the NCC Ssytem 
Administrator and security officer.

The Inquiry has found the following facts:

NCC Internet connection for all NCC employess relys on a Microsoft Proxy 
Server code named CataPult (Beta Release) Which runs on an NT machine. 
It was only installed at NCC several days ago. The product has what it 
defines as a smart cache which decides itself to go fetch via HTTP  
updates of information on the Internet according to URL addresses it 
finds in its cache (which are more likely to be visited once again). 
This in theory provides improved performance for users browsing the 

The default update frequency value in this Beta release was set by 
Microsoft  to be way too low ( a matter of seconds).Once a certain site 
in the cache is too busy and the Proxy Server fails to make the 
connection (like in this case when failed with cause 
10060 connection timeout), the Proxy tries again. It is easy to 
distinguish on the log between a connection request  made by a uset via 
a connection attempt made by CataPult Proxy Server.

We are attaching two files which are the log that shows all activity on 
Oct 24th (file a.a) and all specific connection attampts to wells 
fargo(file b.b).

We did chnage the timoout for this retry attempt to be much higher than 
the 1 minute value that was configured by default by Microsoft.

Have other sites been using Catapault and seeing this problem?


- - - - - - - - - - - - - - - - -