My friend Mark wrote
back about the
attack to mention that he's also seeing the same attack on his
servers. It's not enough to bring anything down, but it's enough to be an
annoyance. He's also concerned that it might be a bit of a “dry run” for
A bit later he sent along a link to the paper “TCP
Vulnerability” which describes a possible motive for the attack:
SYNCookies were implemented to mitigate against DoS attacks. It ensured that the server did not have to store any information for half-open connections. A
SYNcookie contains all information required by the server to know the request is valid. However, the usage of these cookies introduces a vulnerability that allows an attacker to guess the initial sequence number and use that to spoof a connection or plant false logs.
The “spoofing of a connection” is amusing, as I don't have any private files worth downloading and spoofing a connection to an email server just nets me what? More spam? I already deal with spam as it is. And the same for the logs—I just don't have anything that requires legally auditable logs. I guess it's similar for most spam—it pretty must costs the same if you attempt 10 servers or 10,000,000 servers, so why not? And like Mark says, I hope this isn't a precursor of something larger.
And chasing down the references in the paper is quite the rabbit hole.