RE: TCP Syn Flooding

["s7726" <s7726 () yahoo com>]

A thread here:
http://securitygeeks.shmoo.com/pipermail/sg-dc/2002q2/000285.html

says a little about swcd a little more googling might turn something up.

-----Original Message-----
From: Fields, James [mailto:James.Fields () bcbsfl com]
Sent: Tuesday, February 18, 2003 4:44 AM
To: 'Tim Laureska'; security-basics
Subject: RE: TCP Syn Flooding


You have received a lot of replies to this already, but I have a slightly
different take on this.  The message says the traffic is sourced from port
80 and coming back to a high port on your end that would normally be in the
range used by client software (like a web browser). There actually does
appear to be a service listening on port 80 at the source (205.138.3.201)
but the default page is blank (you can do a "view source" in your browser
and see that it is a real html page, just with no content).  Telneting to
the server on port 80 and issuing a GET I received the following:


HTTP/1.0 501 Not Implemented
Date: Tue, 18 Feb 2003 12:39:05 GMT
Server: swcd/5.0.2206
Connection: close

I do not know what type of server reports itself as "swcd" but it is listed
on a recent survey of popular web server tools as having about a 0.14% share
of installed servers.

What would be interesting is if you recently went there - maybe you didn't
know you were going there, if the user has a hostname published in DNS
somewhere.

In any case it would be odd for a web server to initiate a connection to you
(which is what would kick off a SYN flood).  However, the fact that they are
trying to hit you on what appears to be a client port may indicate that very
thing.  Does the NetGear tell you how many times they tried to connect and
over what period of time?  Does it tell you at least the "minimum"
connections it has to see before it alerts on a SYN flood?

-----Original Message-----
From: Tim Laureska [mailto:hometeam () goeaston net]
Sent: Saturday, February 15, 2003 9:21 AM
To: security-basics
Subject: TCP Syn Flooding

OK. I just installed a Netgear firewall box between a cable modem and a
NT 4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this.

I received this message a few times yesterday after I installed the box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?

T.






Blue Cross Blue Shield of Florida, Inc., and its subsidiary and
affiliate companies are not responsible for errors or omissions in this
e-mail message. Any personal comments made in this e-mail do not reflect the
views of Blue Cross Blue Shield of Florida, Inc.