Hi Anomoly, No apologies needed as you are indeed *mostly* correct. The source of a syn flood IS *usually* spoofed to prevent the victim system from returning a response (providing a syn/ack) but mostly to prevent the attacker from being identified. Since the object of a syn flood is to fill the connection buffer to the point that it can't respond (a brute force syn flood), spoofing isn't always absolutley necessary. In fact if I remember correctly, DDOS attacks that use syn flood don't neccessarily spoof anyone's IP, they just use systems that have been compromised to initiate the syn flood (zombies). It's also not really any part of a request for a web page per se, but a request to initiate a connection with another system.
Regards, Michael -----Original Message----- From: Anomaly [mailto:[EMAIL PROTECTED]] Sent: February 18, 2003 12:00 AM To: Michael Parker; Tim Laureska; security-basics Subject: RE: TCP Syn Flooding Sorry if this has been mentioned before, but my email server has been bouncing messages back a lot lately so I have been missing quite a bit from the mailing list. Tracing that IP address is useless if it was an actual SYN flood attempt. SYN flooding is when someone spoofs a TCP/IP packet and forms it to request a page from a webserver. When your server tries to complete the handshake it sends a packet back to the spoofed address and obviously the spoofed server/computer address isn't going to respond correctly or even at all since it didn't initiate the connection to begin with. Basically a person/hacker can fill up your server connection with false requests thus denying legit users from your content. More than likely though it was a byproduct of something else since as you said it was the same address. Someone trying to attack your server would use mulitiple addresses causing a greater effect. It's quite easy to do since you're spoofing the packet to begin with. I highly doubt someone is purposely attacking you. Someone please correct me if I stated anything wrong. -Anomaly ---------- Original Message ----------- From: "Michael Parker" <[EMAIL PROTECTED]> To: "Tim Laureska" <[EMAIL PROTECTED]>, "security-basics" <security- [EMAIL PROTECTED]> Sent: Mon, 17 Feb 2003 12:38:17 -0500 Subject: RE: TCP Syn Flooding > Sounds like someone was trying to syn flood your system and your firewall did what it was suppposed to...blocked the connection to the offending system. > > A WHOIS of the source IP turned up these results: > > Cable & Wireless CW-03BLK (NET-205-138-0-0-1) > 205.138.0.0 - 205.140.255.255 > Double Click, Inc. CW-205-138-3-A (NET-205-138-3-0-1) > 205.138.3.0 - 205.138.3.255 > > # ARIN WHOIS database, last updated 2003-02-16 20:00 > > I also did a tracert to that IP > > Hop IP Address Host Name Sent Recv RTT Av RTT Min RTT Max RTT % Loss > <SNIP> > 8 152.63.132.14 130.atm3-0.xr1.tor2.alter.net 1 1 10 ms 10 ms 10 ms 10 ms 0.000% > 9 152.63.2.109 0.so-0-0-0.tl1.tor2.alter.net 1 1 10 ms 10 ms 10 ms 10 ms 0.000% > 10 152.63.2.106 0.so-4-1-0.TL1.DCA6.ALTER.NET 1 1 30 ms 30 ms 30 ms 30 ms 0.000% > 11 152.63.36.37 0.so-6-0-0.CL1.DCA1.ALTER.NET 1 1 30 ms 30 ms 30 ms 30 ms 0.000% > 12 152.63.33.170 295.at-6-0-0.XR1.TCO1.ALTER.NET 1 1 30 ms 30 ms 30 ms 30 ms 0.000% > 13 152.63.39.93 193.ATM6-0.GW5.TCO1.ALTER.NET 1 1 30 ms 30 ms 30 ms 30 ms 0.000% > 14 157.130.79.194 doubleclick-gw.customer.alter.net 1 1 40 ms 40 ms 40 ms 40 ms 0.000% > 15 205.138.3.201 [Unknown] 1 1 40 ms 40 ms 40 ms 40 ms 0.000% > > Here is a link that provides information on a SYN attack - http://www.cert.org/advisories/CA-1996-21.html > > Hope this helps. > Cheers, > Michael > > -----Original Message----- > From: Tim Laureska [mailto:[EMAIL PROTECTED]] > Sent: February 15, 2003 9:21 AM > To: security-basics > Subject: TCP Syn Flooding > > OK. I just installed a Netgear firewall box between a cable modem and a > NT 4.0 server on a small network.. and set it up to email me attempts at > security breaches. I am brand new to these devices and a relative > neophyte to internet/internal network security. So the question is > this. > > I received this message a few times yesterday after I installed the box: > > Fri, 02/14/2003 20:35:01 - TCP connection dropped - > Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - > 'TCP:Syn Flooding' End of Log ---------- > > What should I make of this? > > T. ------- End of Original Message -------
