Security Basics mailing list archives

RE: TCP Syn Flooding

From: "Michael Parker" <mparker () rim net>
Date: Mon, 17 Feb 2003 12:38:17 -0500

Sounds like someone was trying to syn flood your system and your firewall did what it was suppposed to...blocked the 
connection to the offending system.  

A WHOIS of the source IP turned up these results:

Cable & Wireless CW-03BLK (NET-205-138-0-0-1) 
                                  205.138.0.0 - 205.140.255.255
Double Click, Inc. CW-205-138-3-A (NET-205-138-3-0-1) 
                                  205.138.3.0 - 205.138.3.255

# ARIN WHOIS database, last updated 2003-02-16 20:00

I also did a tracert to that IP

Hop  IP Address       Host Name                              Sent   Recv      RTT   Av RTT  Min RTT  Max RTT   % Loss
<SNIP>
8    152.63.132.14    130.atm3-0.xr1.tor2.alter.net             1      1    10 ms    10 ms    10 ms    10 ms   0.000%
9    152.63.2.109     0.so-0-0-0.tl1.tor2.alter.net             1      1    10 ms    10 ms    10 ms    10 ms   0.000%
10   152.63.2.106     0.so-4-1-0.TL1.DCA6.ALTER.NET             1      1    30 ms    30 ms    30 ms    30 ms   0.000%
11   152.63.36.37     0.so-6-0-0.CL1.DCA1.ALTER.NET             1      1    30 ms    30 ms    30 ms    30 ms   0.000%
12   152.63.33.170    295.at-6-0-0.XR1.TCO1.ALTER.NET           1      1    30 ms    30 ms    30 ms    30 ms   0.000%
13   152.63.39.93     193.ATM6-0.GW5.TCO1.ALTER.NET             1      1    30 ms    30 ms    30 ms    30 ms   0.000%
14   157.130.79.194   doubleclick-gw.customer.alter.net         1      1    40 ms    40 ms    40 ms    40 ms   0.000%
15   205.138.3.201    [Unknown]                                 1      1    40 ms    40 ms    40 ms    40 ms   0.000%

Here is a link that provides information on a SYN attack - http://www.cert.org/advisories/CA-1996-21.html

Hope this helps.
Cheers,
Michael



-----Original Message-----
From: Tim Laureska [mailto:hometeam () goeaston net]
Sent: February 15, 2003 9:21 AM
To: security-basics
Subject: TCP Syn Flooding


OK. I just installed a Netgear firewall box between a cable modem and a
NT 4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this. 

I received this message a few times yesterday after I installed the box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?
 
T.

Current thread:

RE: TCP Syn Flooding, (continued)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
  - RE: TCP Syn Flooding Tim Laureska (Feb 18)
    - RE: TCP Syn Flooding Craig Searle (Feb 18)
    - RE: TCP Syn Flooding Tim Laureska (Feb 18)
- Re: TCP Syn Flooding Anders Reed Mohn (Feb 18)
- Re: TCP Syn Flooding neopara (Feb 18)
  - RE: TCP Syn Flooding Tim Laureska (Feb 19)
    - RE: TCP Syn Flooding neopara (Feb 20)
    - Windows auditing eric (Feb 22)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
  - RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
  - RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
  - RE: TCP Syn Flooding Tim Laureska (Feb 19)

(Thread continues...)