RE: TCP Syn Flooding

["Tim Laureska" <hometeam () goeaston net>]

No... I would agree... just a small network hanging out there for
someone to try their luck ... By the way, one of the reasons I put the
firewall in place was that an IRC program started showing up on the
server ... it would start with NT loading.... I looked all over the
server (startup, programs, registry, etc) but couldn't find a reference
to it... every seen or heard of this?

-----Original Message-----
From: Craig Searle [mailto:craig.searle () sift com au] 
Sent: Monday, February 17, 2003 5:09 PM
To: 'Tim Laureska'; 'security-basics'
Subject: RE: TCP Syn Flooding

Probably both. TCP SYN floods are usually popular with kiddies due to
their
relative 'ease of use'. The majority of these attacks are poorly
co-ordinated and usually blocked at/by the firewall with relative ease.

Having said that, SYN floods are also very effective when used
properly.....i.e. by someone (or some people) who actually know what
they're
doing.

In my opinion a small network, with an NT4 server would be viewed as an
easy
target by a kiddie.

Do you think otherwise, Tim?

Craig Searle
SIFT Pty Ltd
www.sift.com.au

P (02) 9236 7276
F (02) 9236 7271
M 0402 914 077
E craig.searle () sift com au

Level 67, MLC Centre,
Martin Place, Sydney NSW 2000

[ABN 42 094 359 743]

This correspondence is for the named person's use only. It may contain
confidential or legally privileged information or both. No
confidentiality
or privilege is waived or lost by any mistransmission. If you receive
this
correspondence in error, please immediately delete it from your system
and
notify the sender. You must not disclose, copy or rely on any part of
this
correspondence if you are not the intended recipient. Any opinions
expressed
in this message are those of the individual sender, except where the
sender
expressly, and with authority, states them to be the opinions of SIFT
Pty
Ltd.



-----Original Message-----
From: Tim Laureska [mailto:hometeam () goeaston net] 
Sent: Tuesday, 18 February 2003 08:58 AM
To: 'Craig Searle'; 'security-basics'
Subject: RE: TCP Syn Flooding


Craig... is there anything particular in the message that makes you
think
its just a 'script kiddie' trying a DoS attack ... or is that just your
thoughts based on experience

-----Original Message-----
From: Craig Searle [mailto:craig.searle () sift com au] 
Sent: Monday, February 17, 2003 4:17 PM
To: 'Tim Laureska'; 'security-basics'
Subject: RE: TCP Syn Flooding

Its just a 'script kiddie' trying a DoS attack- I wouldn't really worry
if I
were you. Your firewall has picked it up and stopped any problems.

If you are still concerned you want to consider setting your firewall to
block that IP altogether.

Craig Searle
SIFT Pty Ltd
www.sift.com.au

P (02) 9236 7276
F (02) 9236 7271
M 0402 914 077
E craig.searle () sift com au

Level 67, MLC Centre,
Martin Place, Sydney NSW 2000

[ABN 42 094 359 743]

This correspondence is for the named person's use only. It may contain
confidential or legally privileged information or both. No
confidentiality
or privilege is waived or lost by any mistransmission. If you receive
this
correspondence in error, please immediately delete it from your system
and
notify the sender. You must not disclose, copy or rely on any part of
this
correspondence if you are not the intended recipient. Any opinions
expressed
in this message are those of the individual sender, except where the
sender
expressly, and with authority, states them to be the opinions of SIFT
Pty
Ltd.



-----Original Message-----
From: Tim Laureska [mailto:hometeam () goeaston net] 
Sent: Sunday, 16 February 2003 01:21 AM
To: security-basics
Subject: TCP Syn Flooding


OK. I just installed a Netgear firewall box between a cable modem and a
NT
4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte
to internet/internal network security.  So the question is this. 

I received this message a few times yesterday after I installed the box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201,
80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End
of
Log ----------

What should I make of this?
 
T.