RE: TCP Syn Flooding

From: Tim Laureska (hometeam@goeaston.net)
Date: 02/17/03

Next message: Michael Parker: "RE: TCP Syn Flooding"

Previous message: Trevor Cushen: "RE: tools used to examine a computer"
In reply to: Craig Searle: "RE: TCP Syn Flooding"
Next in thread: Anders Reed Mohn: "Re: TCP Syn Flooding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Tim Laureska" <hometeam@goeaston.net>
To: "'Craig Searle'" <craig.searle@sift.com.au>, "'security-basics'" <security-basics@securityfocus.com>
Date: Mon, 17 Feb 2003 17:15:14 -0500

No... I would agree... just a small network hanging out there for
someone to try their luck ... By the way, one of the reasons I put the
firewall in place was that an IRC program started showing up on the
server ... it would start with NT loading.... I looked all over the
server (startup, programs, registry, etc) but couldn't find a reference
to it... every seen or heard of this?

-----Original Message-----
From: Craig Searle [mailto:craig.searle@sift.com.au]
Sent: Monday, February 17, 2003 5:09 PM
To: 'Tim Laureska'; 'security-basics'
Subject: RE: TCP Syn Flooding

Probably both. TCP SYN floods are usually popular with kiddies due to
their
relative 'ease of use'. The majority of these attacks are poorly
co-ordinated and usually blocked at/by the firewall with relative ease.

Having said that, SYN floods are also very effective when used
properly.....i.e. by someone (or some people) who actually know what
they're
doing.

In my opinion a small network, with an NT4 server would be viewed as an
easy
target by a kiddie.

Do you think otherwise, Tim?

Craig Searle
SIFT Pty Ltd
www.sift.com.au

P (02) 9236 7276
F (02) 9236 7271
M 0402 914 077
E craig.searle@sift.com.au

Level 67, MLC Centre,
Martin Place, Sydney NSW 2000

[ABN 42 094 359 743]

This correspondence is for the named person's use only. It may contain
confidential or legally privileged information or both. No
confidentiality
or privilege is waived or lost by any mistransmission. If you receive
this
correspondence in error, please immediately delete it from your system
and
notify the sender. You must not disclose, copy or rely on any part of
this
correspondence if you are not the intended recipient. Any opinions
expressed
in this message are those of the individual sender, except where the
sender
expressly, and with authority, states them to be the opinions of SIFT
Pty
Ltd.

-----Original Message-----
From: Tim Laureska [mailto:hometeam@goeaston.net]
Sent: Tuesday, 18 February 2003 08:58 AM
To: 'Craig Searle'; 'security-basics'
Subject: RE: TCP Syn Flooding

Craig... is there anything particular in the message that makes you
think
its just a 'script kiddie' trying a DoS attack ... or is that just your
thoughts based on experience

-----Original Message-----
From: Craig Searle [mailto:craig.searle@sift.com.au]
Sent: Monday, February 17, 2003 4:17 PM
To: 'Tim Laureska'; 'security-basics'
Subject: RE: TCP Syn Flooding

Its just a 'script kiddie' trying a DoS attack- I wouldn't really worry
if I
were you. Your firewall has picked it up and stopped any problems.

If you are still concerned you want to consider setting your firewall to
block that IP altogether.

Craig Searle
SIFT Pty Ltd
www.sift.com.au

P (02) 9236 7276
F (02) 9236 7271
M 0402 914 077
E craig.searle@sift.com.au

Level 67, MLC Centre,
Martin Place, Sydney NSW 2000

[ABN 42 094 359 743]

-----Original Message-----
From: Tim Laureska [mailto:hometeam@goeaston.net]
Sent: Sunday, 16 February 2003 01:21 AM
To: security-basics
Subject: TCP Syn Flooding

OK. I just installed a Netgear firewall box between a cable modem and a
NT
4.0 server on a small network.. and set it up to email me attempts at
security breaches. I am brand new to these devices and a relative
neophyte
to internet/internal network security. So the question is this.

I received this message a few times yesterday after I installed the box:

Fri, 02/14/2003 20:35:01 - TCP connection dropped -
Source:205.138.3.201,
80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End
of
Log ----------

What should I make of this?

T.

Next message: Michael Parker: "RE: TCP Syn Flooding"
Previous message: Trevor Cushen: "RE: tools used to examine a computer"
In reply to: Craig Searle: "RE: TCP Syn Flooding"
Next in thread: Anders Reed Mohn: "Re: TCP Syn Flooding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Password cracker tool
... has dictionary / brute force / hybrid attacks. ... Network Security Administrator ... sender does not accept liability for any errors or omissions in the ... Cenzic Hailstorm finds vulnerabilities fast. ...
(Pen-Test)
Is there anyway to find out if we have a bootserver on the networ k --like a command ???
... Is there anyway to find out if there is a bootserver on the network? ... Like if I have to build a server of a jumpstarserver and I don't know if we ... destroy any hard copies and notify the sender. ... except where the message states otherwise and the sender ...
(SunManagers)
Re: Out Of Office
... OOO replies only once per sender ... > All other users on the network are fine with the rule ... >> Out of Office Autoreply to the Internet enabled on the Exchange ...
(microsoft.public.outlook.general)
Re: Protect a Template?
... You're on a network, so try this link, which describes only *one* way to ... establish a network template system. ... Please keep all correspondence within the Group, ... The problem is that they will often save and overwrite my blank ...
(microsoft.public.excel.misc)
NTFS security
... We have a peer to peer network - all winXP professional ... We share a common file for correspondence so each of can ... The folder security settings permit everyone to read, ...
(microsoft.public.windowsxp.security_admin)