Security Basics mailing list archives

RE: TCP Syn Flooding

From: neopara <neopara () shaw ca>
Date: Thu, 20 Feb 2003 18:14:58 -0600

Most of the stand-alone or built-in(ie. firewalls) IDSes use
regular expression to analyzes the packets it is receiving.  Now if a
regular expression returns true after it is compared to a packet, then
the IDS will alert admin.  In the world of IDS, pre-made regular
expression are called signatures.  Hence the name signature based
alerts.  If you ever used a IDS like RealSecure or Snort, this can cause
some headaches because the signatures are to vague, and they get
triggered to easily.  That is why IDSes are not the end all solution. 
When you get an alert, check it out, but don't think right off the bat
you are getting attacked. I hope that helped a bit.

Paul Sliwowski

On Tue, 2003-02-18 at 12:22, Tim Laureska wrote:

Uuh... basic question I'm sure but what do you mean by a "signature
based alert"?

-----Original Message-----
From: neopara [mailto:neopara () shaw ca] 
Sent: Tuesday, February 18, 2003 12:32 AM
To: security-basics
Subject: Re: TCP Syn Flooding

On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:

OK. I just installed a Netgear firewall box between a cable modem and

NT 4.0 server on a small network.. and set it up to email me attempts

at

security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this. 

I received this message a few times yesterday after I installed the

box:



Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?
 
T.


It could also be a false positive?  IDSes are kinda sensitive to syn
flood signatures.  I am guesses your firewall is just dropping the syn
packet, so an application could be repeatedly trying to establish a
connection which is triggering that signature.  It would help to know if
there is an legitimate application that hits port 20306.

P.S. You should take signature based alerts with a grain of salt.

Pawel Sliwowski

Nothing More, For Me to Say,
About my life, A Life of Dreams....

-- 
Nothing More, For Me to Say,
About my life, A Life of Dreams....

Current thread:

TCP Syn Flooding Tim Laureska (Feb 17)
- Re: TCP Syn Flooding Matt Thoene (Feb 17)
- Re: TCP Syn Flooding Ivan Hernandez (Feb 17)
- RE: TCP Syn Flooding Craig Searle (Feb 18)
  - RE: TCP Syn Flooding Tim Laureska (Feb 18)
    - RE: TCP Syn Flooding Craig Searle (Feb 18)
    - RE: TCP Syn Flooding Tim Laureska (Feb 18)
- Re: TCP Syn Flooding Anders Reed Mohn (Feb 18)
- Re: TCP Syn Flooding neopara (Feb 18)
  - RE: TCP Syn Flooding Tim Laureska (Feb 19)
    - RE: TCP Syn Flooding neopara (Feb 20)
    - Windows auditing eric (Feb 22)
- Re: TCP Syn Flooding Steve Suehring (Feb 18)
- <Possible follow-ups>
- RE: TCP Syn Flooding Michael Parker (Feb 17)
  - RE: TCP Syn Flooding Anomaly (Feb 18)
- Re: TCP Syn Flooding Chris Berry (Feb 17)
- re: TCP Syn Flooding H C (Feb 18)
- RE: TCP Syn Flooding Michael Parker (Feb 18)
- RE: TCP Syn Flooding Fields, James (Feb 18)
  - RE: TCP Syn Flooding s7726 (Feb 19)
- RE: TCP Syn Flooding Michael Parker (Feb 19)

(Thread continues...)