Security Incidents mailing list archives
Syn attacks ?
From: ktk () BERLINGSKE-ONLINE DK (Klavs Klavsen)
Date: Tue, 28 Mar 2000 17:33:13 +0100
Does anybody know if it is normal, with these kind of syn-scans to my firewall/gateway ? btw. it is also masquarading - but answers to masquarading should only go to ports 61000-65095 right ? Mar 28 14:04:16 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:1849 x.x.x.x::15420 L=48 S=0x00 I=4419 F=0x4000 T=118 SYN (#24) Mar 28 14:04:19 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:1849 x.x.x.x::15420 L=48 S=0x00 I=4420 F=0x4000 T=118 SYN (#24) Mar 28 14:04:25 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:1849 x.x.x.x::15420 L=48 S=0x00 I=4429 F=0x4000 T=118 SYN (#24) Mar 28 14:10:34 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:2045 x.x.x.x::6386 L=48 S=0x00 I=6255 F=0x4000 T=118 SYN (#24) Mar 28 14:10:37 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:2045 x.x.x.x::6386 L=48 S=0x00 I=6257 F=0x4000 T=118 SYN (#24) Mar 28 14:10:43 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:2045 x.x.x.x::6386 L=48 S=0x00 I=6258 F=0x4000 T=118 SYN (#24) Mar 28 14:11:35 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:2047 x.x.x.x::12792 L=48 S=0x00 I=6278 F=0x4000 T=118 SYN (#24) Mar 28 14:11:38 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:2047 x.x.x.x::12792 L=48 S=0x00 I=6280 F=0x4000 T=118 SYN (#24) Mar 28 14:11:44 firewall kernel: Packet log: input DENY eth9 PROTO=6 212.237.190.66:2047 x.x.x.x:12792 L=48 S=0x00 I=6281 F=0x4000 T=118 SYN (#24) I haven't snatched the packets.. but I guess I could set a program up to snatch some packetinfo.. do any of you have any experience with this ? - as to how it is done.. as to what to look for in a packet, to recognise what it is. etc. ? I'd be greatful for any hints. best regards, Klavs Klavsen - IT-coordinator
Current thread:
- unapproved queries for "aol.com", (continued)
- unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
- Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
- 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
- sgi-dgl scanning Michael Stone (Mar 27)
- unusual mail file Donald McLachlan (Mar 28)
- Re: unusual mail file Ryan Hilton (Mar 28)
- Front Page Extensions vventura () SIA PT (Mar 28)
- Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
- Syn attacks ? Klavs Klavsen (Mar 28)
- Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
- Munged Napster Sessions Stephen P. Berry (Mar 13)
- Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
- Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
- Port 6112 Stuart Staniford-Chen (Mar 17)
- Re: Port 6112 Robert Graham (Mar 20)
- Re: Port 6112 Stuart Staniford-Chen (Mar 20)
- nbname scans Rick Tortorella (Mar 20)