Security Basics mailing list archives
RE: TCP Syn Flooding
From: "Anomaly" <computerhelp () host sk>
Date: Tue, 18 Feb 2003 05:59:38 +0100
Sorry if this has been mentioned before, but my email server has been bouncing messages back a lot lately so I have been missing quite a bit from the mailing list. Tracing that IP address is useless if it was an actual SYN flood attempt. SYN flooding is when someone spoofs a TCP/IP packet and forms it to request a page from a webserver. When your server tries to complete the handshake it sends a packet back to the spoofed address and obviously the spoofed server/computer address isn't going to respond correctly or even at all since it didn't initiate the connection to begin with. Basically a person/hacker can fill up your server connection with false requests thus denying legit users from your content. More than likely though it was a byproduct of something else since as you said it was the same address. Someone trying to attack your server would use mulitiple addresses causing a greater effect. It's quite easy to do since you're spoofing the packet to begin with. I highly doubt someone is purposely attacking you. Someone please correct me if I stated anything wrong. -Anomaly ---------- Original Message ----------- From: "Michael Parker" <mparker () rim net> To: "Tim Laureska" <hometeam () goeaston net>, "security-basics" <security- basics () securityfocus com> Sent: Mon, 17 Feb 2003 12:38:17 -0500 Subject: RE: TCP Syn Flooding
Sounds like someone was trying to syn flood your system and your firewall
did what it was suppposed to...blocked the connection to the offending system.
A WHOIS of the source IP turned up these results: Cable & Wireless CW-03BLK (NET-205-138-0-0-1) 205.138.0.0 - 205.140.255.255 Double Click, Inc. CW-205-138-3-A (NET-205-138-3-0-1) 205.138.3.0 - 205.138.3.255 # ARIN WHOIS database, last updated 2003-02-16 20:00 I also did a tracert to that IP Hop IP Address Host Name Sent
Recv RTT Av RTT Min RTT Max RTT % Loss
<SNIP> 8 152.63.132.14 130.atm3-0.xr1.tor2.alter.net 1 1
10 ms 10 ms 10 ms 10 ms 0.000%
9 152.63.2.109 0.so-0-0-0.tl1.tor2.alter.net 1 1
10 ms 10 ms 10 ms 10 ms 0.000%
10 152.63.2.106 0.so-4-1-0.TL1.DCA6.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
11 152.63.36.37 0.so-6-0-0.CL1.DCA1.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
12 152.63.33.170 295.at-6-0-0.XR1.TCO1.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
13 152.63.39.93 193.ATM6-0.GW5.TCO1.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
14 157.130.79.194 doubleclick-gw.customer.alter.net 1 1
40 ms 40 ms 40 ms 40 ms 0.000%
15 205.138.3.201 [Unknown] 1 1
40 ms 40 ms 40 ms 40 ms 0.000%
Here is a link that provides information on a SYN attack -
http://www.cert.org/advisories/CA-1996-21.html
Hope this helps. Cheers, Michael -----Original Message----- From: Tim Laureska [mailto:hometeam () goeaston net] Sent: February 15, 2003 9:21 AM To: security-basics Subject: TCP Syn Flooding OK. I just installed a Netgear firewall box between a cable modem and a NT 4.0 server on a small network.. and set it up to email me attempts at security breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed the box: Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T.
------- End of Original Message -------
Current thread:
- RE: TCP Syn Flooding, (continued)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- Re: TCP Syn Flooding Anders Reed Mohn (Feb 18)
- Re: TCP Syn Flooding neopara (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding neopara (Feb 20)
- Windows auditing eric (Feb 22)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)