Home page logo
/

basics logo Security Basics mailing list archives

Re: TCP Syn Flooding
From: neopara <neopara () shaw ca>
Date: Mon, 17 Feb 2003 23:31:42 -0600

On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
OK. I just installed a Netgear firewall box between a cable modem and a
NT 4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this. 

I received this message a few times yesterday after I installed the box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?
 
T.




It could also be a false positive?  IDSes are kinda sensitive to syn
flood signatures.  I am guesses your firewall is just dropping the syn
packet, so an application could be repeatedly trying to establish a
connection which is triggering that signature.  It would help to know if
there is an legitimate application that hits port 20306.

P.S. You should take signature based alerts with a grain of salt.

Pawel Sliwowski

Nothing More, For Me to Say,
About my life, A Life of Dreams....


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault