Hello,
I
am new to the list and am hoping to appeal to the group for some assistance. I
know this topic has been discussed here in the past but I was not able to
resolve my issue with any ideas given in that thread (http://www.wireshark.org/lists/wireshark-users/200706/msg00013.html)
From time to time, we notice that our websites appear to be
hit by a DOS attack. At that time, a packet capture reveals many thousands of
TCP Dup ACK packets (~28K in 67 seconds).
Based on what I understand, these packets might actually be
a symptom of a DOS attack and not the cause of it. A Dup ACK packet would be a
normal response of a Client that has already sent an ACK but did not get a
reply from a Server (because, as one example, it’s being DOS’d).
So I am wondering if:
1) Does this
sound like a symptom of a DOS and not the cause of it? I believe it’s a
symptom.
2) If not, what
would cause so many Dup ACKs? Could this be an attack vector itself?
Thank you,
-Steve
Packet
1 0.000000 165.139.171.135 ******************** TCP 40120
> http [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=0
57399 66.939348 165.139.171.135 ******************** TCP [TCP
Dup ACK 1#28699] 40120 > http [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=0
57400 66.939358 165.139.171.135 172.30.64.174 TCP [TCP
Dup ACK 2#28699] 40120 > http [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=0
57401 66.943632 165.139.171.135 ******************* TCP [TCP
Dup ACK 1#28700] 40120 > http [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=0
57402 66.943643 165.139.171.135 172.30.64.174 TCP [TCP
Dup ACK 2#28700] 40120 > http [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=0
