Home page logo

basics logo Security Basics mailing list archives

RE: TCP Syn Flooding
From: Chris Santerre <csanterre () MerchantsOverseas com>
Date: Tue, 18 Feb 2003 14:08:24 -0500

You mentioned an IRC program on the NT box. Is it still running or did you
kill it? It could be trying to "phone home". Just another idea. 

-----Original Message-----
From: Steve Suehring [mailto:sec () braingia org]
Sent: Tuesday, February 18, 2003 8:57 AM
To: Tim Laureska
Cc: security-basics
Subject: Re: TCP Syn Flooding

While I obviously can't guarantee it, I would sincerely doubt 
that there 
is a true syn flood taking place sourced in the doubleclick 
network.  What 
were you doing at the time?  Possibly surfing the web?  Those 
source and 
destination ports look awfully like you were surfing the web and 
doubleclick's side tried to open a connection to you for their load 
balancing software.

My guess would be that the netgear is picking up a false positive.  

Searching deja reveals that this may be the case after all:



On Sat, Feb 15, 2003 at 09:20:46AM -0500, Tim Laureska wrote:
OK. I just installed a Netgear firewall box between a cable 
modem and a
NT 4.0 server on a small network.. and set it up to email 
me attempts at
security breaches. I am brand new to these devices and a relative
neophyte to internet/internal network security.  So the question is

I received this message a few times yesterday after I 
installed the box:

Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:, 80, WAN - Destination:, 
20306, LAN -
'TCP:Syn Flooding' End of Log ----------

What should I make of this?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]