Security Basics mailing list archives
RE: TCP Syn Flooding
From: "Tim Laureska" <hometeam () goeaston net>
Date: Tue, 18 Feb 2003 13:22:20 -0500
Uuh... basic question I'm sure but what do you mean by a "signature based alert"? -----Original Message----- From: neopara [mailto:neopara () shaw ca] Sent: Tuesday, February 18, 2003 12:32 AM To: security-basics Subject: Re: TCP Syn Flooding On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
OK. I just installed a Netgear firewall box between a cable modem and
a
NT 4.0 server on a small network.. and set it up to email me attempts
at
security breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed the
box:
Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T.
It could also be a false positive? IDSes are kinda sensitive to syn flood signatures. I am guesses your firewall is just dropping the syn packet, so an application could be repeatedly trying to establish a connection which is triggering that signature. It would help to know if there is an legitimate application that hits port 20306. P.S. You should take signature based alerts with a grain of salt. Pawel Sliwowski Nothing More, For Me to Say, About my life, A Life of Dreams....
Current thread:
- TCP Syn Flooding Tim Laureska (Feb 17)
- Re: TCP Syn Flooding Matt Thoene (Feb 17)
- Re: TCP Syn Flooding Ivan Hernandez (Feb 17)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 18)
- Re: TCP Syn Flooding Anders Reed Mohn (Feb 18)
- Re: TCP Syn Flooding neopara (Feb 18)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding neopara (Feb 20)
- Windows auditing eric (Feb 22)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- <Possible follow-ups>
- RE: TCP Syn Flooding Michael Parker (Feb 17)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)