Re: SYN flood atacks?
we took around a gig of port 80 syn flooding to a customer web host, it was around 12-3pm utc.. ended when the customer disappeared off the net. not sure if this is unusual tho, theres hundreds of such attacks per day globally... Steve On Tue, 17 Aug 2004, [EMAIL PROTECTED] wrote: > Sorry I didnt take the smart ass factor into account when I posted. I have heard > that AOL and other mega proxies have been sending enough SYN floods (DDoS style) to > knock over Discover and Allstate. I am not talking about small amounts of normal > traffic. > Jason > > -- Original message -- > > > > > > > On Tue, 17 Aug 2004 [EMAIL PROTECTED] wrote: > > > I have been hearing rumors about some SYN flood atacks on the Internet > > > today. Anybody hear anything? > > > > You will need to be more specific. > > > > There are syn flood attacks, icmp attacks, udp attacks, tcp attacks, dns > > attacks, http attacks, im attacks, ipsec attacks, etc going on every day, > > all day. > > > >
Re: SYN flood atacks?
One of my peers had a DOS against one of their colo customers. Effected their/our connection to Level 3. Appx 11:05am EDT ~ Matt Taber [EMAIL PROTECTED] WMIS Internet http://www.wmis.net "Accelerate ... It's a Speed Thing" ~ [EMAIL PROTECTED] wrote: Sorry I didnt take the smart ass factor into account when I posted. I have heard that AOL and other mega proxies have been sending enough SYN floods (DDoS style) to knock over Discover and Allstate. I am not talking about small amounts of normal traffic. Jason -- Original message -- > > > On Tue, 17 Aug 2004 [EMAIL PROTECTED] wrote: > > I have been hearing rumors about some SYN flood atacks on the Internet > > today. Anybody hear anything? > > You will need to be more specific. > > There are syn flood attacks, icmp attacks, udp attacks, tcp attacks, dns > attacks, http attacks, im attacks, ipsec attacks, etc going on every day, > all day. > >
Re: SYN flood attacks? [Virus Checked]
I think I also heard about some new email worm that takes advantage users that open attachments... (Sorry, just HAD to jump on that bandwagon) Brent Richard A Steenbergen <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/17/2004 02:41 PM To: [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: SYN flood atacks? [Virus Checked] On Tue, Aug 17, 2004 at 06:28:55PM +, [EMAIL PROTECTED] wrote: > I have been hearing rumors about some SYN flood atacks on the Internet > today. Anybody hear anything? Interesting coincidence, I just heard a rumor about someone receiving spam today. Perhaps the are connected. It might even be a conspiracy. -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: SYN flood atacks?
Sorry I didnt take the smart ass factor into account when I posted. I have heard that AOL and other mega proxies have been sending enough SYN floods (DDoS style) to knock over Discover and Allstate. I am not talking about small amounts of normal traffic. Jason -- Original message -- > > > On Tue, 17 Aug 2004 [EMAIL PROTECTED] wrote: > > I have been hearing rumors about some SYN flood atacks on the Internet > > today. Anybody hear anything? > > You will need to be more specific. > > There are syn flood attacks, icmp attacks, udp attacks, tcp attacks, dns > attacks, http attacks, im attacks, ipsec attacks, etc going on every day, > all day. > >
Re: SYN flood atacks?
On Tue, Aug 17, 2004 at 06:28:55PM +, [EMAIL PROTECTED] wrote: > I have been hearing rumors about some SYN flood atacks on the Internet > today. Anybody hear anything? Interesting coincidence, I just heard a rumor about someone receiving spam today. Perhaps the are connected. It might even be a conspiracy. -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: SYN flood atacks?
On Tue, 17 Aug 2004 [EMAIL PROTECTED] wrote: > I have been hearing rumors about some SYN flood atacks on the Internet > today. Anybody hear anything? You will need to be more specific. There are syn flood attacks, icmp attacks, udp attacks, tcp attacks, dns attacks, http attacks, im attacks, ipsec attacks, etc going on every day, all day.
Lock Down (was Re: Syn Flood)
Ron Harris wrote: I had success on several computers catching IRC Bots with SwatIT, which is free. http://www.lockdowncorp.com/ I would recommend that anyone who considers using Lock Down's software be aware of the content here: http://www.pc-help.org/www.nwinternet.com/pchelp/lockdown/index.html In short, the owner of pc-help.org was sued by Lock Down when he exposed their false advertising claims. Lock Down lost their suit: http://www.pc-help.org/suit/ Mike
Re: Syn Flood
- Original Message - From: "Christopher Bird" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 25, 2003 5:55 PM Subject: Syn Flood > I have a problem on a home PC of all things. Every once in a while it > bursts into life and syn floods an IP address on port 80. The IP > addresses it chooses are random and varied. The network counters ratchet > up alarmingly (as viewed in the connections window). I am running winXP > Pro on this box. You might want to let a prog. such as TCP View (free) run while you're idle. Beats trying to get netstat to capture it, imo. http://www.sysinternals.com/ntw2k/source/tcpview.shtml Also, close everything you can and look at what Processes are running. Some of these things are hard to spot...I was infected and the offender was named "Iexplorer.exe", while the real IE is named IEXPLORE.exe and the real Explorer is named Explorer.exe. Here's another free prog. which aids in tying a process to what's running it. http://www.xmlsp.com/pview/prcview.htm These "trojans" don't seem to be caught by some Anti-Virus programs...at least AVG didn't catch mine. I ended up searching google for Iexplorer.exe and found (5 pages deep a year ago) an obscure thread which had part of the solution for removal. I then searched the HD for any files created at the same time and found the rest of the (by then morphed) creature. Good luck. --Michael > I have zone alarm, an SMC Barricade firewall, and Norton anti virus. > > > > I don't seem to be able to catch the computer at it, I just have the > evidence after the event. I don't like the anti social behavior that > this is exhibiting and am wondering if the collective wisdom of this > group might have any ideas how to track the issue down. > > > > According to virus checkers, I am clean. > > > > Thanks in advance > > > > Chris Bird > >
Re: Syn Flood
Christopher Bird wrote: > I have zone alarm, an SMC Barricade firewall, and Norton anti virus. > Ahhh, but do you have Ad-Aware? -- -Jack
RE: Syn Flood
I had success on several computers catching IRC Bots with SwatIT, which is free. http://www.lockdowncorp.com/ Ron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Christopher Bird Sent: Tuesday, March 25, 2003 8:56 PM To: [EMAIL PROTECTED] Subject: Syn Flood I have a problem on a home PC of all things. Every once in a while it bursts into life and syn floods an IP address on port 80. The IP addresses it chooses are random and varied. The network counters ratchet up alarmingly (as viewed in the connections window). I am running winXP Pro on this box. I have zone alarm, an SMC Barricade firewall, and Norton anti virus. I don’t seem to be able to catch the computer at it, I just have the evidence after the event. I don’t like the anti social behavior that this is exhibiting and am wondering if the collective wisdom of this group might have any ideas how to track the issue down. According to virus checkers, I am clean. Thanks in advance Chris Bird
Re: Syn Flood
I would look for something like an IRC bot. Zonealarm may not catch it if it is on there for a while and some user 'permitted' it at some point. Usually, these bots have names to sound like system binaries. Anti virus software may not catch the agent. Do you have any full packet captures from the system? Any traffic that could be control traffic (doesn't have to go to port 6667) On Tue, 25 Mar 2003 21:55:41 -0600 "Christopher Bird" <[EMAIL PROTECTED]> wrote: > > > I have a problem on a home PC of all things. Every once in a while it > bursts into life and syn floods an IP address on port 80. The IP > addresses it chooses are random and varied. The network counters ratchet > up alarmingly (as viewed in the connections window). I am running winXP > Pro on this box. > > > > I have zone alarm, an SMC Barricade firewall, and Norton anti virus. > > > > I don't seem to be able to catch the computer at it, I just have the > evidence after the event. I don't like the anti social behavior that > this is exhibiting and am wondering if the collective wisdom of this > group might have any ideas how to track the issue down. > > > > According to virus checkers, I am clean. > > > > Thanks in advance > > > > Chris Bird > > -- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
