Home page logo

basics logo Security Basics mailing list archives

RE: TCP Syn Flooding
From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Tue, 18 Feb 2003 13:47:19 -0500

I think I have to disagree with everyone about this being an actual Syn
Flood attack.  A Syn Flood happens when an attacker sends a whole bunch of
SYN requests to the same IP address in the hopes of denying the service.
That could be happening here, but look at what is going on below.

The source of the attack is port 80.  As Michael Parker
pointed out, the address is  owned by DoubleClick, the notorious ad and
tracking people on the web.  

The destination of the attack is port 20306.  I'm assuming this
is your address.  You may wish to obfuscate your address in the future for
security reasons.  Anyhow, port 20306 is an ephemeral port, meaning that you
probably don't have a service listening on it and it was a port that a
client program was using to communicate on.  My guess is you had a web
browser on it.

Probably what was happening was that you were surfing the web and hit a site
that had an image reference to this doubleclick server.  Your web browser
went to that server and the server tried to send more information to your
browser.  This is what your firewall blocked.

I would check to see how Netgear determines it is a Syn Flood.  With
RealSecure, the default settings for a Syn Flood are so small that a lot of
normal connections with retries will trigger the signature.  This is what
may be happening here.

Bottom line is you have to take into account everything that was happening.
If you were on the web at the time, I would be willing to bet that my
description above is close to what happened.  If not, then it is possible
someone was Syn Flooding you, probably not to crash your machine, but more
likely to take up your bandwidth.


-----Original Message-----
From: Tim Laureska [mailto:hometeam () goeaston net]
Sent: Saturday, February 15, 2003 9:21 AM
To: security-basics
Subject: TCP Syn Flooding

OK. I just installed a Netgear firewall box between a cable modem and a
NT 4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is

I received this message a few times yesterday after I installed the box:

Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:, 80, WAN - Destination:, 20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]