Security Basics mailing list archives

RE: TCP Syn Flooding

From: "Tim Laureska" <hometeam () goeaston net>
Date: Tue, 18 Feb 2003 14:16:37 -0500

The IRC programs pops up in a window when you start the NT box... you
can close it down easily enough.... but I'll be darned if I can find
where the program is

-----Original Message-----
From: Chris Santerre [mailto:csanterre () MerchantsOverseas com] 
Sent: Tuesday, February 18, 2003 2:08 PM
To: 'Steve Suehring'; Tim Laureska
Cc: security-basics
Subject: RE: TCP Syn Flooding

You mentioned an IRC program on the NT box. Is it still running or did
you
kill it? It could be trying to "phone home". Just another idea.

-----Original Message-----
From: Steve Suehring [mailto:sec () braingia org]
Sent: Tuesday, February 18, 2003 8:57 AM
To: Tim Laureska
Cc: security-basics
Subject: Re: TCP Syn Flooding

While I obviously can't guarantee it, I would sincerely doubt 
that there 
is a true syn flood taking place sourced in the doubleclick 
network.  What 
were you doing at the time?  Possibly surfing the web?  Those 
source and 
destination ports look awfully like you were surfing the web and 
doubleclick's side tried to open a connection to you for their load 
balancing software.

My guess would be that the netgear is picking up a false positive.  

Searching deja reveals that this may be the case after all:

http://groups.google.com/groups?oi=djq&selm=an_523012517

Steve

On Sat, Feb 15, 2003 at 09:20:46AM -0500, Tim Laureska wrote:

OK. I just installed a Netgear firewall box between a cable

modem and a

NT 4.0 server on a small network.. and set it up to email

me attempts at

security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this. 

I received this message a few times yesterday after I

installed the box:



Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25,

20306, LAN -

'TCP:Syn Flooding' End of Log ----------

What should I make of this?
 
T.

Current thread:

RE: TCP Syn Flooding, (continued)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
  - RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
  - RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
  - RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)