Security Basics mailing list archives
RE: TCP Syn Flooding
From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Tue, 18 Feb 2003 13:47:19 -0500
I think I have to disagree with everyone about this being an actual Syn Flood attack. A Syn Flood happens when an attacker sends a whole bunch of SYN requests to the same IP address in the hopes of denying the service. That could be happening here, but look at what is going on below. The source of the attack is 205.138.3.201 port 80. As Michael Parker pointed out, the address is owned by DoubleClick, the notorious ad and tracking people on the web. The destination of the attack is 69.2.167.25 port 20306. I'm assuming this is your address. You may wish to obfuscate your address in the future for security reasons. Anyhow, port 20306 is an ephemeral port, meaning that you probably don't have a service listening on it and it was a port that a client program was using to communicate on. My guess is you had a web browser on it. Probably what was happening was that you were surfing the web and hit a site that had an image reference to this doubleclick server. Your web browser went to that server and the server tried to send more information to your browser. This is what your firewall blocked. I would check to see how Netgear determines it is a Syn Flood. With RealSecure, the default settings for a Syn Flood are so small that a lot of normal connections with retries will trigger the signature. This is what may be happening here. Bottom line is you have to take into account everything that was happening. If you were on the web at the time, I would be willing to bet that my description above is close to what happened. If not, then it is possible someone was Syn Flooding you, probably not to crash your machine, but more likely to take up your bandwidth. Tyler -----Original Message----- From: Tim Laureska [mailto:hometeam () goeaston net] Sent: Saturday, February 15, 2003 9:21 AM To: security-basics Subject: TCP Syn Flooding OK. I just installed a Netgear firewall box between a cable modem and a NT 4.0 server on a small network.. and set it up to email me attempts at security breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed the box: Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T.
Current thread:
- Windows auditing, (continued)
- Windows auditing eric (Feb 22)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
- RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
- RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
- RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)