Security Basics mailing list archives
RE: TCP Syn Flooding
From: "Fields, James" <James.Fields () bcbsfl com>
Date: Tue, 18 Feb 2003 07:44:21 -0500
You have received a lot of replies to this already, but I have a slightly different take on this. The message says the traffic is sourced from port 80 and coming back to a high port on your end that would normally be in the range used by client software (like a web browser). There actually does appear to be a service listening on port 80 at the source (205.138.3.201) but the default page is blank (you can do a "view source" in your browser and see that it is a real html page, just with no content). Telneting to the server on port 80 and issuing a GET I received the following: HTTP/1.0 501 Not Implemented Date: Tue, 18 Feb 2003 12:39:05 GMT Server: swcd/5.0.2206 Connection: close I do not know what type of server reports itself as "swcd" but it is listed on a recent survey of popular web server tools as having about a 0.14% share of installed servers. What would be interesting is if you recently went there - maybe you didn't know you were going there, if the user has a hostname published in DNS somewhere. In any case it would be odd for a web server to initiate a connection to you (which is what would kick off a SYN flood). However, the fact that they are trying to hit you on what appears to be a client port may indicate that very thing. Does the NetGear tell you how many times they tried to connect and over what period of time? Does it tell you at least the "minimum" connections it has to see before it alerts on a SYN flood? -----Original Message----- From: Tim Laureska [mailto:hometeam () goeaston net] Sent: Saturday, February 15, 2003 9:21 AM To: security-basics Subject: TCP Syn Flooding OK. I just installed a Netgear firewall box between a cable modem and a NT 4.0 server on a small network.. and set it up to email me attempts at security breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed the box: Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T. Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.
Current thread:
- Re: TCP Syn Flooding, (continued)
- Re: TCP Syn Flooding neopara (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding neopara (Feb 20)
- Windows auditing eric (Feb 22)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- Re: TCP Syn Flooding neopara (Feb 18)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)