Security Incidents mailing list archives

Syn attacks ?

From: ktk () BERLINGSKE-ONLINE DK (Klavs Klavsen)
Date: Tue, 28 Mar 2000 17:33:13 +0100


Does anybody know if it is normal, with these kind of syn-scans to my
firewall/gateway ?
btw. it is also masquarading - but answers to masquarading should only go to
ports 61000-65095 right ?

Mar 28 14:04:16 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:1849 x.x.x.x::15420 L=48 S=0x00 I=4419 F=0x4000 T=118 SYN (#24)

Mar 28 14:04:19 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:1849 x.x.x.x::15420 L=48 S=0x00 I=4420 F=0x4000 T=118 SYN (#24)

Mar 28 14:04:25 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:1849 x.x.x.x::15420 L=48 S=0x00 I=4429 F=0x4000 T=118 SYN (#24)

Mar 28 14:10:34 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:2045 x.x.x.x::6386 L=48 S=0x00 I=6255 F=0x4000 T=118 SYN (#24)

Mar 28 14:10:37 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:2045 x.x.x.x::6386 L=48 S=0x00 I=6257 F=0x4000 T=118 SYN (#24)

Mar 28 14:10:43 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:2045 x.x.x.x::6386 L=48 S=0x00 I=6258 F=0x4000 T=118 SYN (#24)

Mar 28 14:11:35 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:2047 x.x.x.x::12792 L=48 S=0x00 I=6278 F=0x4000 T=118 SYN (#24)

Mar 28 14:11:38 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:2047 x.x.x.x::12792 L=48 S=0x00 I=6280 F=0x4000 T=118 SYN (#24)

Mar 28 14:11:44 firewall kernel: Packet log: input DENY eth9 PROTO=6
212.237.190.66:2047 x.x.x.x:12792 L=48 S=0x00 I=6281 F=0x4000 T=118 SYN (#24)

I haven't snatched the packets.. but I guess I could set a program up to snatch
some packetinfo..
do any of you have any experience with this ? - as to how it is done.. as to
what to look for in a packet, to recognise what it is. etc. ?

I'd be greatful for any hints.

best regards,
Klavs Klavsen - IT-coordinator

Current thread:

unapproved queries for "aol.com", (continued)
- - - unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
    - Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
    - 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
    - sgi-dgl scanning Michael Stone (Mar 27)
    - unusual mail file Donald McLachlan (Mar 28)
    - Re: unusual mail file Ryan Hilton (Mar 28)
    - Front Page Extensions vventura () SIA PT (Mar 28)
    - Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
    - Syn attacks ? Klavs Klavsen (Mar 28)
    - Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Donald McLachlan (Mar 07)
  - Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
  - Munged Napster Sessions Stephen P. Berry (Mar 13)
    - Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
    - Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
    - Port 6112 Stuart Staniford-Chen (Mar 17)
    - Re: Port 6112 Robert Graham (Mar 20)
    - Re: Port 6112 Stuart Staniford-Chen (Mar 20)
    - nbname scans Rick Tortorella (Mar 20)

(Thread continues...)