Home page logo
/

basics logo Security Basics mailing list archives

Re: TCP Syn Flooding
From: "Anders Reed Mohn" <anders_rm () utepils com>
Date: Mon, 17 Feb 2003 23:09:32 +0100


I received this message a few times yesterday after I installed the box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?


Not sure, Tim, but I'll make a guess.
Is there a website at 205.138.3.201 that you've visited?

Now, the firewall will have reacted because this address sent one or more
SYN packets
that weren't expected. The target port for the SYN packet is a typical
client port,
and not a service, so it's probably not an attack of any sort.

This is something that all firewalls log tons of after you've visited a
web-site.
I think the explanation is that when you _left_ the page, the
TCP-connections to
it were not closed. Thus, the remote server still thinks you are connected,
and
sends traffic to you. Your firewall, however, has already dropped the
connection
and therefore thinks this is illegitimate traffic.

Cheers,
Anders :)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault