On 1/15/07, Christopher Snell <[EMAIL PROTECTED]> wrote: Has anybody experienced sudden surges of state > entries like this? Denial of service attack perhaps? > > There has been a surge of SYN scanning from machines on our network that were affected by the Symantec hole. That created a few thousand states and I ended up putting in some rules to deal with it. Check your state table for patterns...e.g. recurring ports, addresses with unreasonable numbers of states, a lot of connections to port 2967 outside of your network, etc.
-- Kian Mohageri