Detecting the Naptha Denial of Service Attack

The Naptha Denial of Service tool is designed to flood a targeted TCP stack with so many SYN packets that the system cannot service legitimate requests. According to Snort rule ID 275, the Naptha tool creates packets that contain an IP ID value of 413, and a TCP sequence number of 6060842, as shown in bold here:

alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; psad_id:100111; psad_dl:2;)

The following iptables log message triggers the Naptha rule in psad (notice the IP ID value of 413 at ©, the TCP sequence number 6060842 at ©, and the SYN flag set at ©):

Jul 11 20:28:21 iptablesfw kernel: DROP IN=eth1 OUT= MAC=00:13:46:3a:41:4b:

00:a0:cc:28:42:5a:08:00 SRC=192.168.10.3 DST=192.168.10.1 LEN=60 TOS=0x10

PREC=0x00 TTL=64 ©ID=413 DF PROTO=TCP SPT=45664 DPT=15304

©SEQ=6060842 ACK=0 WINDOW=5840 RES=0x00 ©SYN URGP=0

Jul 14 15:35:26 iptablesfw psad: src: 192.168.10.3 signature match: "DOS

NAPTHA" (sid: 275) tcp port: 15304

Was this article helpful?

0 0

Post a comment