Security Basics mailing list archives

RE: TCP Syn Flooding

From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Tue, 18 Feb 2003 13:47:19 -0500

I think I have to disagree with everyone about this being an actual Syn
Flood attack.  A Syn Flood happens when an attacker sends a whole bunch of
SYN requests to the same IP address in the hopes of denying the service.
That could be happening here, but look at what is going on below.

The source of the attack is 205.138.3.201 port 80.  As Michael Parker
pointed out, the address is  owned by DoubleClick, the notorious ad and
tracking people on the web.  

The destination of the attack is 69.2.167.25 port 20306.  I'm assuming this
is your address.  You may wish to obfuscate your address in the future for
security reasons.  Anyhow, port 20306 is an ephemeral port, meaning that you
probably don't have a service listening on it and it was a port that a
client program was using to communicate on.  My guess is you had a web
browser on it.

Probably what was happening was that you were surfing the web and hit a site
that had an image reference to this doubleclick server.  Your web browser
went to that server and the server tried to send more information to your
browser.  This is what your firewall blocked.

I would check to see how Netgear determines it is a Syn Flood.  With
RealSecure, the default settings for a Syn Flood are so small that a lot of
normal connections with retries will trigger the signature.  This is what
may be happening here.

Bottom line is you have to take into account everything that was happening.
If you were on the web at the time, I would be willing to bet that my
description above is close to what happened.  If not, then it is possible
someone was Syn Flooding you, probably not to crash your machine, but more
likely to take up your bandwidth.

Tyler

-----Original Message-----
From: Tim Laureska [mailto:hometeam () goeaston net]
Sent: Saturday, February 15, 2003 9:21 AM
To: security-basics
Subject: TCP Syn Flooding


OK. I just installed a Netgear firewall box between a cable modem and a
NT 4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this. 

I received this message a few times yesterday after I installed the box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?
 
T.

Current thread:

Windows auditing, (continued)
- - - Windows auditing eric (Feb 22)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 17)
  - RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
  - RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)
- RE: TCP Syn Flooding Hudak, Tyler (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)
  - RE: TCP Syn Flooding Tim Laureska (Feb 19)
- RE: TCP Syn Flooding Chris Santerre (Feb 19)