Re: SYNFlood Source address 0.0.0.0

Thu, 9 Mar 2000 08:35:34 -0800 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

The rationale I saw from ISS before is that in a real synflood, the source
address is spoofed so realsecure does not report synfloods as coming from
the address the packets said they came from but from 0.0.0.0 instead.  The
information saying 'SPOOFEDSRC <IP>' is telling you what the original IP
was.

I do not like this because it prevents you from being able to ignore
synflood false positives from certain addresses.  

Now, if the product only allowed you to ignore specific alarms for
specific IPs rather than having to ignore everything...

-Jason

On Wed, 8 Mar 2000, Gary McIntyre wrote:

> Date: Wed, 8 Mar 2000 09:58:28 -0500
> From: Gary McIntyre <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: SYNFlood Source address 0.0.0.0
> 
> 
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
> 
> 
> This seems to be a normal reaction by RealSecure to some port scanning
> products.  I have tested a number of different port scanners and some of
> them are not identified but show up as SYNFloods with 0.0.0.0 source
> addresses (Hoppa in particular).
> 
> Gary McIntyre
> Network Consultant
> LGS Group Inc.
> [EMAIL PROTECTED]
> 
> This user's PGP Public Keys can be
> obtained from certserver.pgp.com
> 
> ----- Original Message -----
> From: ""Ryan J. Standish" <[EMAIL PROTECTED]>@LGS"
> <IMCEANOTES-+22Ryan+20J+2E+20Standish+22+20+3Crjs9+40atlas+2Ensec+2Enet+3E+4
> [EMAIL PROTECTED]>
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Sent: Tuesday, March 07, 2000 10:26 PM
> Subject: SYNFlood Source address 0.0.0.0
> 
> 
> >
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> > [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> > problems!
> > --------------------------------------------------------------------------
> --
> >
> > What does it mean when I get a SYNFlood with a source address of 0.0.0.0?
> > It also gives me the spoofed source address.  I have a few dozen of these
> > in the logs.
> >
> > -R
> >
> >
> >
> >
> >
> >
> 
> 
> 
> 
> 


AT&T Wireless Services
IT Security
UNIX Security Operations Specialist

Reply via email to