TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
My understanding of this is that, because a real synflood will most likely
originate from a spoofed source address, RealSecure does not trust the
source in a supposed "SYNFLOOD" attack and substitutes the illegal address
0.0.0.0 for the actual source address the packets came from and then saves
the original source address in the information field, claiming it was
spoofed. My experience with this is that with the default thresholds, it
catches mostly legitimate traffic (false positives).
The problem with RealSecure substituting 0.0.0.0 for the real source
address, is that you can no longer implement filters to catch frequent
false positive offenders since everyone is lumped into the single 0.0.0.0
source.
-Jason
On Mon, 3 Jul 2000 [EMAIL PROTECTED] wrote:
> Date: Mon Jul 03 12:43:34 2000
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
> Subject: Re: SYNFLOOD
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
>
> I have received the same response, and I find it very frustrating since I have
>contacted ISS on what the spoofedsrc field is actually trying to tell me. I got a
>spoofed src of 0.0.0.0 but the information field pointed to my firewall address.
>when i contacted ISS about this they said that the spoofedsrc field is a guess as to
>who could be causing this synflood. Anyone out there, please clarify what the
>purpose of this spoofed src field really is???
>
> mark
>
>
>
--
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
