Re: TCP Syn Flooding

[neopara <neopara () shaw ca>]

On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
> OK. I just installed a Netgear firewall box between a cable modem and a
> NT 4.0 server on a small network.. and set it up to email me attempts at
> security breaches. I am brand new to these devices and a relative
> neophyte to internet/internal network security.  So the question is
> this. 
>
> I received this message a few times yesterday after I installed the box:
>
>
> Fri, 02/14/2003 20:35:01 - TCP connection dropped -
> Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
> 'TCP:Syn Flooding' End of Log ----------
>
> What should I make of this?
>  
> T.

It could also be a false positive?  IDSes are kinda sensitive to syn
flood signatures.  I am guesses your firewall is just dropping the syn
packet, so an application could be repeatedly trying to establish a
connection which is triggering that signature.  It would help to know if
there is an legitimate application that hits port 20306.

P.S. You should take signature based alerts with a grain of salt.

Pawel Sliwowski

Nothing More, For Me to Say,
About my life, A Life of Dreams....