RE: TCP Syn Flooding

["Tim Laureska" <hometeam () goeaston net>]

Uuh... basic question I'm sure but what do you mean by a "signature
based alert"?

-----Original Message-----
From: neopara [mailto:neopara () shaw ca] 
Sent: Tuesday, February 18, 2003 12:32 AM
To: security-basics
Subject: Re: TCP Syn Flooding

On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
> OK. I just installed a Netgear firewall box between a cable modem and
a
> NT 4.0 server on a small network.. and set it up to email me attempts
at
> security breaches. I am brand new to these devices and a relative
> neophyte to internet/internal network security.  So the question is
> this. 
>
> I received this message a few times yesterday after I installed the
box:
> Fri, 02/14/2003 20:35:01 - TCP connection dropped -
> Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
> 'TCP:Syn Flooding' End of Log ----------
>
> What should I make of this?
>  
> T.

It could also be a false positive?  IDSes are kinda sensitive to syn
flood signatures.  I am guesses your firewall is just dropping the syn
packet, so an application could be repeatedly trying to establish a
connection which is triggering that signature.  It would help to know if
there is an legitimate application that hits port 20306.

P.S. You should take signature based alerts with a grain of salt.

Pawel Sliwowski

Nothing More, For Me to Say,
About my life, A Life of Dreams....