nanog mailing list archives
Re: Syn Flood
From: "Johannes Ullrich" <jullrich () euclidian com>
Date: Tue, 25 Mar 2003 23:06:20 -0500
I would look for something like an IRC bot. Zonealarm may not catch it if it is on there for a while and some user 'permitted' it at some point. Usually, these bots have names to sound like system binaries. Anti virus software may not catch the agent. Do you have any full packet captures from the system? Any traffic that could be control traffic (doesn't have to go to port 6667) On Tue, 25 Mar 2003 21:55:41 -0600 "Christopher Bird" <seabird () msn com> wrote:
I have a problem on a home PC of all things. Every once in a while it bursts into life and syn floods an IP address on port 80. The IP addresses it chooses are random and varied. The network counters ratchet up alarmingly (as viewed in the connections window). I am running winXP Pro on this box. I have zone alarm, an SMC Barricade firewall, and Norton anti virus. I don't seem to be able to catch the computer at it, I just have the evidence after the event. I don't like the anti social behavior that this is exhibiting and am wondering if the collective wisdom of this group might have any ideas how to track the issue down. According to virus checkers, I am clean. Thanks in advance Chris Bird
-- -------------------------------------------------------------------- jullrich () euclidian com Collaborative Intrusion Detection join http://www.dshield.org
Current thread:
- Syn Flood Christopher Bird (Mar 25)
- Re: Syn Flood Johannes Ullrich (Mar 25)
- RE: Syn Flood Ron Harris (Mar 25)
- Lock Down (was Re: Syn Flood) Mike Lewinski (Mar 25)
- Re: Syn Flood Jack Bates (Mar 25)
- Re: Syn Flood Michael Painter (Mar 25)