mailing list archives
RE: TCP Syn Flooding
From: "Tim Laureska" <hometeam () goeaston net>
Date: Tue, 18 Feb 2003 13:22:20 -0500
Uuh... basic question I'm sure but what do you mean by a "signature
From: neopara [mailto:neopara () shaw ca]
Sent: Tuesday, February 18, 2003 12:32 AM
Subject: Re: TCP Syn Flooding
On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
OK. I just installed a Netgear firewall box between a cable modem and
NT 4.0 server on a small network.. and set it up to email me attempts
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security. So the question is
I received this message a few times yesterday after I installed the
Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:220.127.116.11, 80, WAN - Destination:18.104.22.168, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------
What should I make of this?
It could also be a false positive? IDSes are kinda sensitive to syn
flood signatures. I am guesses your firewall is just dropping the syn
packet, so an application could be repeatedly trying to establish a
connection which is triggering that signature. It would help to know if
there is an legitimate application that hits port 20306.
P.S. You should take signature based alerts with a grain of salt.
Nothing More, For Me to Say,
About my life, A Life of Dreams....
Re: TCP Syn Flooding Steve Suehring (Feb 18)