Security Basics mailing list archives
RE: TCP Syn Flooding
From: "Michael Parker" <mparker () rim net>
Date: Tue, 18 Feb 2003 12:49:05 -0500
Hi Anders - This was very interesting (useful) information...thanks :) I wasn't aware of the residual traffic that could be generated after visiting a web site (and the resulting false positives). In light of the few messages he did receive, it does make sense. regards, Michael -----Original Message----- From: Anders Reed Mohn [mailto:anders_rm () utepils com] Sent: February 17, 2003 5:10 PM To: Tim Laureska; security-basics Subject: Re: TCP Syn Flooding
I received this message a few times yesterday after I installed the box: Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this?
Not sure, Tim, but I'll make a guess. Is there a website at 205.138.3.201 that you've visited? Now, the firewall will have reacted because this address sent one or more SYN packets that weren't expected. The target port for the SYN packet is a typical client port, and not a service, so it's probably not an attack of any sort. This is something that all firewalls log tons of after you've visited a web-site. I think the explanation is that when you _left_ the page, the TCP-connections to it were not closed. Thus, the remote server still thinks you are connected, and sends traffic to you. Your firewall, however, has already dropped the connection and therefore thinks this is illegitimate traffic. Cheers, Anders :)
Current thread:
- RE: TCP Syn Flooding, (continued)
- RE: TCP Syn Flooding neopara (Feb 20)
- Windows auditing eric (Feb 22)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)