TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
This sounds correct.
I get around it by raising the high water mark to 120 and the packets per
event to 2000.
Any lower and I get constant false positives.
Hope this doesn't mean I am going to miss any "real" synfloods.
Thanks
Jonathan
-----Original Message-----
From: Jason Axley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 05, 2000 3:31 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: SYNFLOOD
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
My understanding of this is that, because a real synflood will most likely
originate from a spoofed source address, RealSecure does not trust the
source in a supposed "SYNFLOOD" attack and substitutes the illegal address
0.0.0.0 for the actual source address the packets came from and then saves
the original source address in the information field, claiming it was
spoofed. My experience with this is that with the default thresholds, it
catches mostly legitimate traffic (false positives).
The problem with RealSecure substituting 0.0.0.0 for the real source
address, is that you can no longer implement filters to catch frequent
false positive offenders since everyone is lumped into the single 0.0.0.0
source.
-Jason
On Mon, 3 Jul 2000 [EMAIL PROTECTED] wrote:
> Date: Mon Jul 03 12:43:34 2000
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
> Subject: Re: SYNFLOOD
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
>
----------------------------------------------------------------------------
>
> I have received the same response, and I find it very frustrating since I
have contacted ISS on what the spoofedsrc field is actually trying to tell
me. I got a spoofed src of 0.0.0.0 but the information field pointed to my
firewall address. when i contacted ISS about this they said that the
spoofedsrc field is a guess as to who could be causing this synflood.
Anyone out there, please clarify what the purpose of this spoofed src field
really is???
>
> mark
>
>
>
--
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
