RE: TCP Syn Flooding

["Anomaly" <computerhelp () host sk>]

Sorry if this has been mentioned before, but my email server has been 
bouncing messages back a lot lately so I have been missing quite a bit from 
the mailing list.

Tracing that IP address is useless if it was an actual SYN flood attempt.  
SYN flooding is when someone spoofs a TCP/IP packet and forms it to request a 
page from a webserver.  When your server tries to complete the handshake it 
sends a packet back to the spoofed address and obviously the spoofed 
server/computer address isn't going to respond correctly or even at all since 
it didn't initiate the connection to begin with.  Basically a person/hacker 
can fill up your server connection with false requests thus denying legit 
users from your content.

More than likely though it was a byproduct of something else since as you 
said it was the same address.  Someone trying to attack your server would use 
mulitiple addresses causing a greater effect.  It's quite easy to do since 
you're spoofing the packet to begin with.  

I highly doubt someone is purposely attacking you.

Someone please correct me if I stated anything wrong.  

-Anomaly

---------- Original Message -----------
From: "Michael Parker" <mparker () rim net>
To: "Tim Laureska" <hometeam () goeaston net>, "security-basics" <security-
basics () securityfocus com>
Sent: Mon, 17 Feb 2003 12:38:17 -0500
Subject: RE: TCP Syn Flooding

> Sounds like someone was trying to syn flood your system and your firewall 
did what it was suppposed to...blocked the connection to the offending 
system.  
> A WHOIS of the source IP turned up these results:
>
> Cable & Wireless CW-03BLK (NET-205-138-0-0-1) 
>                                   205.138.0.0 - 205.140.255.255
> Double Click, Inc. CW-205-138-3-A (NET-205-138-3-0-1) 
>                                   205.138.3.0 - 205.138.3.255
>
> # ARIN WHOIS database, last updated 2003-02-16 20:00
>
> I also did a tracert to that IP
>
> Hop  IP Address       Host Name                              Sent   
Recv      RTT   Av RTT  Min RTT  Max RTT   % Loss
> <SNIP>
> 8    152.63.132.14    130.atm3-0.xr1.tor2.alter.net             1      1    
10 ms    10 ms    10 ms    10 ms   0.000%
> 9    152.63.2.109     0.so-0-0-0.tl1.tor2.alter.net             1      1    
10 ms    10 ms    10 ms    10 ms   0.000%
> 10   152.63.2.106     0.so-4-1-0.TL1.DCA6.ALTER.NET             1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 11   152.63.36.37     0.so-6-0-0.CL1.DCA1.ALTER.NET             1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 12   152.63.33.170    295.at-6-0-0.XR1.TCO1.ALTER.NET           1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 13   152.63.39.93     193.ATM6-0.GW5.TCO1.ALTER.NET             1      1    
30 ms    30 ms    30 ms    30 ms   0.000%
> 14   157.130.79.194   doubleclick-gw.customer.alter.net         1      1    
40 ms    40 ms    40 ms    40 ms   0.000%
> 15   205.138.3.201    [Unknown]                                 1      1    
40 ms    40 ms    40 ms    40 ms   0.000%
> Here is a link that provides information on a SYN attack - 
http://www.cert.org/advisories/CA-1996-21.html
> Hope this helps.
> Cheers,
> Michael
>
> -----Original Message-----
> From: Tim Laureska [mailto:hometeam () goeaston net]
> Sent: February 15, 2003 9:21 AM
> To: security-basics
> Subject: TCP Syn Flooding
>
> OK. I just installed a Netgear firewall box between a cable modem and a
> NT 4.0 server on a small network.. and set it up to email me attempts at
> security breaches. I am brand new to these devices and a relative
> neophyte to internet/internal network security.  So the question is
> this. 
>
> I received this message a few times yesterday after I installed the box:
>
> Fri, 02/14/2003 20:35:01 - TCP connection dropped -
> Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
> 'TCP:Syn Flooding' End of Log ----------
>
> What should I make of this?
>  
> T.
------- End of Original Message -------