TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
In a SYNFlood attack, the source address is "spoofed" and does not
represent the true source of the packets. Also, the packets that make
up the attack are often made to appear to come from hundreds or
thousands of different source addresses.
To keep the activity tree window from becoming overwhelmed by
thousands of "fake" addresses, RealSecure reports the source address
in a SYNFlood attack uniformly as "0.0.0.0". Should it prove useful,
the "spoofed" address is reported with the event as additional
information.
False positives are a common occurrence with the SYNFlood event.
SYNFlood has threshold values that each customer should configure to
the typical traffic of their network. If the values are set too low,
the normal level of new TCP connections may appear as a SYNFlood
attack. If the values are set too high, RealSecure may not detect the
attack quickly enough to respond effectively. Unfortunately, I know no
hard and fast guidelines for choosing the best threshold values.
Although tedious, you can increase the thresholds slowly over time
until the number of false positives are below acceptable levels.
Another common cause (but less than above) for false positives occurs
with RealSecure customers with redundant network paths. In some
redundant networks, inbound packets to a server follow one path and
responses from the server follow another. If the RealSecure engine is
attached to only one of the redundant paths, it will not be able to
correctly match requests with responses. It will then believe that
SYNFloods are occurring when they are not.
We are currently exploring ways to make the SYNFlood detector less
prone to false positives.
Paul
- -----Original Message-----
From: Ryan J. Standish [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 07, 2000 4:21 PM
To: [EMAIL PROTECTED]
Subject: SYNFlood Source address 0.0.0.0
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
- ------------------------------------------------------------------------
- ----
What does it mean when I get a SYNFlood with a source address of
0.0.0.0?
It also gives me the spoofed source address. I have a few dozen of
these
in the logs.
- -R
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5
iQCVAwUBOMfCzISi4VqTDp53AQHnHQP+P08ibgr+aWDPWs1Z2kMXbwqqiM4Pz7ct
+BgcSwMwXynXa+VKe18iLyITDUCTlB9uLHxiJPZoKxqpTQjMirD5t/h/9myQH3PZ
U/6GmpAS7Brr2GT6L4X7zqjNFfbMOA9g1C8h4fHIrUgTdRahWnTDO0S6btVeYKdw
125tn5sKRxk=
=UxJc
-----END PGP SIGNATURE-----
