Security Basics mailing list archives
RE: TCP Syn Flooding
From: "Michael Parker" <mparker () rim net>
Date: Tue, 18 Feb 2003 09:16:25 -0500
Hi Anomoly, No apologies needed as you are indeed *mostly* correct. The source of a syn flood IS *usually* spoofed to prevent the victim system from returning a response (providing a syn/ack) but mostly to prevent the attacker from being identified. Since the object of a syn flood is to fill the connection buffer to the point that it can't respond (a brute force syn flood), spoofing isn't always absolutley necessary. In fact if I remember correctly, DDOS attacks that use syn flood don't neccessarily spoof anyone's IP, they just use systems that have been compromised to initiate the syn flood (zombies). It's also not really any part of a request for a web page per se, but a request to initiate a connection with another system. Regards, Michael -----Original Message----- From: Anomaly [mailto:computerhelp () host sk] Sent: February 18, 2003 12:00 AM To: Michael Parker; Tim Laureska; security-basics Subject: RE: TCP Syn Flooding Sorry if this has been mentioned before, but my email server has been bouncing messages back a lot lately so I have been missing quite a bit from the mailing list. Tracing that IP address is useless if it was an actual SYN flood attempt. SYN flooding is when someone spoofs a TCP/IP packet and forms it to request a page from a webserver. When your server tries to complete the handshake it sends a packet back to the spoofed address and obviously the spoofed server/computer address isn't going to respond correctly or even at all since it didn't initiate the connection to begin with. Basically a person/hacker can fill up your server connection with false requests thus denying legit users from your content. More than likely though it was a byproduct of something else since as you said it was the same address. Someone trying to attack your server would use mulitiple addresses causing a greater effect. It's quite easy to do since you're spoofing the packet to begin with. I highly doubt someone is purposely attacking you. Someone please correct me if I stated anything wrong. -Anomaly ---------- Original Message ----------- From: "Michael Parker" <mparker () rim net> To: "Tim Laureska" <hometeam () goeaston net>, "security-basics" <security- basics () securityfocus com> Sent: Mon, 17 Feb 2003 12:38:17 -0500 Subject: RE: TCP Syn Flooding
Sounds like someone was trying to syn flood your system and your firewall
did what it was suppposed to...blocked the connection to the offending system.
A WHOIS of the source IP turned up these results: Cable & Wireless CW-03BLK (NET-205-138-0-0-1) 205.138.0.0 - 205.140.255.255 Double Click, Inc. CW-205-138-3-A (NET-205-138-3-0-1) 205.138.3.0 - 205.138.3.255 # ARIN WHOIS database, last updated 2003-02-16 20:00 I also did a tracert to that IP Hop IP Address Host Name Sent
Recv RTT Av RTT Min RTT Max RTT % Loss
<SNIP> 8 152.63.132.14 130.atm3-0.xr1.tor2.alter.net 1 1
10 ms 10 ms 10 ms 10 ms 0.000%
9 152.63.2.109 0.so-0-0-0.tl1.tor2.alter.net 1 1
10 ms 10 ms 10 ms 10 ms 0.000%
10 152.63.2.106 0.so-4-1-0.TL1.DCA6.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
11 152.63.36.37 0.so-6-0-0.CL1.DCA1.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
12 152.63.33.170 295.at-6-0-0.XR1.TCO1.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
13 152.63.39.93 193.ATM6-0.GW5.TCO1.ALTER.NET 1 1
30 ms 30 ms 30 ms 30 ms 0.000%
14 157.130.79.194 doubleclick-gw.customer.alter.net 1 1
40 ms 40 ms 40 ms 40 ms 0.000%
15 205.138.3.201 [Unknown] 1 1
40 ms 40 ms 40 ms 40 ms 0.000%
Here is a link that provides information on a SYN attack -
http://www.cert.org/advisories/CA-1996-21.html
Hope this helps. Cheers, Michael -----Original Message----- From: Tim Laureska [mailto:hometeam () goeaston net] Sent: February 15, 2003 9:21 AM To: security-basics Subject: TCP Syn Flooding OK. I just installed a Netgear firewall box between a cable modem and a NT 4.0 server on a small network.. and set it up to email me attempts at security breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed the box: Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T.
------- End of Original Message -------
Current thread:
- Re: TCP Syn Flooding, (continued)
- Re: TCP Syn Flooding Anders Reed Mohn (Feb 18)
- Re: TCP Syn Flooding neopara (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding neopara (Feb 20)
- Windows auditing eric (Feb 22)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)