RE: TCP Syn Flooding

From: neopara (
Date: 02/21/03

  • Next message: Julian Plamann: "Re: User process limitations.."
    Date: Thu, 20 Feb 2003 18:14:58 -0600
    From: neopara <>
    To: 'security-basics' <>, 'Tim Laureska' <>

    Most of the stand-alone or built-in(ie. firewalls) IDSes use
    regular expression to analyzes the packets it is receiving. Now if a
    regular expression returns true after it is compared to a packet, then
    the IDS will alert admin. In the world of IDS, pre-made regular
    expression are called signatures. Hence the name signature based
    alerts. If you ever used a IDS like RealSecure or Snort, this can cause
    some headaches because the signatures are to vague, and they get
    triggered to easily. That is why IDSes are not the end all solution.
    When you get an alert, check it out, but don't think right off the bat
    you are getting attacked. I hope that helped a bit.

    Paul Sliwowski

    On Tue, 2003-02-18 at 12:22, Tim Laureska wrote:
    > Uuh... basic question I'm sure but what do you mean by a "signature
    > based alert"?
    > -----Original Message-----
    > From: neopara []
    > Sent: Tuesday, February 18, 2003 12:32 AM
    > To: security-basics
    > Subject: Re: TCP Syn Flooding
    > On Sat, 2003-02-15 at 08:20, Tim Laureska wrote:
    > > OK. I just installed a Netgear firewall box between a cable modem and
    > a
    > > NT 4.0 server on a small network.. and set it up to email me attempts
    > at
    > > security breaches. I am brand new to these devices and a relative
    > > neophyte to internet/internal network security. So the question is
    > > this.
    > >
    > > I received this message a few times yesterday after I installed the
    > box:
    > >
    > >
    > > Fri, 02/14/2003 20:35:01 - TCP connection dropped -
    > > Source:, 80, WAN - Destination:, 20306, LAN -
    > > 'TCP:Syn Flooding' End of Log ----------
    > >
    > > What should I make of this?
    > >
    > > T.
    > >
    > >
    > >
    > It could also be a false positive? IDSes are kinda sensitive to syn
    > flood signatures. I am guesses your firewall is just dropping the syn
    > packet, so an application could be repeatedly trying to establish a
    > connection which is triggering that signature. It would help to know if
    > there is an legitimate application that hits port 20306.
    > P.S. You should take signature based alerts with a grain of salt.
    > Pawel Sliwowski
    > Nothing More, For Me to Say,
    > About my life, A Life of Dreams....

    Nothing More, For Me to Say,
    About my life, A Life of Dreams....

    Relevant Pages

    • Re: [fw-wiz] Netscreen firewalls
      ... the transparent bridge mode is quite good, ... the default, out of the box transport mechanism is packet forwarding only, ... comparison against a signature is typically the way that enforcement is ...
    • Re: Ultra-Fast Stateless Forward Signing
      ... With each packet, the sender encrypts a MAC key with the public ... ciphertext and signature many times, so each end can use cached ... Makes a Merkle hash-tree with the OTS keys as the leaves; ... The PK signature of the hash-tree root. ...
    • Re: Inheritable signature?
      ... bit string, ... Let us start with the "basic" setup with no signature. ... packet by trying the reconstruction with other data. ...
    • Re: IDS Analyst Levels
      ... your signature logic is tokenising the input data stream. ... `Does this packet ... that's a quick synopsis of the IDS analysis model I've been ...
    • Re: Intrusion Detection Evaluation Datasets
      ... Btw, Snort did detect one attack instance, because a signature for IIS has something like 100 times the same byte value in it. ... That's what I referred to when I said that one should rewrite the regular expression engine. ... make Bro identify the repeating character, ... I have to admit I have never looked at Bro signatures, although I know it approaches the problem differently. ...