Home page logo
/

basics logo Security Basics mailing list archives

RE: TCP Syn Flooding
From: "Tim Laureska" <hometeam () goeaston net>
Date: Tue, 18 Feb 2003 13:22:20 -0500

Uuh... basic question I'm sure but what do you mean by a "signature
based alert"?

-----Original Message-----
From: neopara [mailto:neopara () shaw ca] 
Sent: Tuesday, February 18, 2003 12:32 AM
To: security-basics
Subject: Re: TCP Syn Flooding

On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
OK. I just installed a Netgear firewall box between a cable modem and
a
NT 4.0 server on a small network.. and set it up to email me attempts
at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is
this. 

I received this message a few times yesterday after I installed the
box:


Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?
 
T.




It could also be a false positive?  IDSes are kinda sensitive to syn
flood signatures.  I am guesses your firewall is just dropping the syn
packet, so an application could be repeatedly trying to establish a
connection which is triggering that signature.  It would help to know if
there is an legitimate application that hits port 20306.

P.S. You should take signature based alerts with a grain of salt.

Pawel Sliwowski

Nothing More, For Me to Say,
About my life, A Life of Dreams....






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault