Hi. looking at suspicious traffic I found that a lab Windows Domain Controller with DNS enabled was sending, in a single second, over 100 SYN,ACK packets in response to a single SYN packet. The SYN packet was sent by a workstation joined to the server's domain. The SYN,ACK packet's data part cannot be read in clear text, but It looks like there are only two variations of this packet. A quick inspection shows that variation_1 and variation_2 are being sent in a round-robin fashion. In all SYN,ACK packets the destination port is the same (59092), Seq=0, Ack=1, Win=8192, Len=0. This is not a covert channel, unless using some form of morse code. And I have a hard time believing that a lab DC would DoS a workstation in this fashion. Any hint would be appreciated. asked 03 Jan '14, 20:54  Marcus |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
can you provide a trace? If the data is sensitive you could use TraceWrangler to sanitize it before posting it on CloudShark.
"The SYN,ACK packet's data part cannot be read in clear text ... In all SYN,ACK packets the destination port is the same (59092), Seq=0, Ack=1, Win=8192, Len=0 ."
With a len=0 how can there be data with a syn_ack packet? Is the ip.ttl always the same?
do you mind to tell us the difference between the two variations?
BTW: if you are no longer interested in solving/discussing the problem, we might want to close the question.