Re: repeated SYN packets to port 80

From: John Sage (
Date: 03/09/02

From: "John Sage" <>
Date: Sat, 09 Mar 2002 15:27:54 GMT

Without accepting a connection and seeing what comes next, (which you
probably don't want to do ;-) it's impossible to say completely what's going

I'd bet a thousand bucks it's Code Red/Nimda probes, however.

These have become a relentless Internet background noise.

Here's a sample from my firewall logs:

Mar 8 22:18:26 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP} ->
Mar 8 22:18:29 greatwall snort: [1:0:0] Potential CodeRed/Nimda probe {TCP} ->

Mar 8 22:18:26 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 L=48 S=0x00 I=6283 F=0x4000 T=121 SYN (#64)
Mar 8 22:18:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 L=48 S=0x00 I=6709 F=0x4000 T=121 SYN (#64)

Fri Mar 8 22:18:26 2002 [8 hops]: Windows 2000 (9) ->
Fri Mar 8 22:18:29 2002 [8 hops]: Windows 2000 (9) ->

I get anywhere from 50 to 200 of these a day, every day, day in day out,
since late last summer...


- John

Most people don't type their own logfiles;  but, what do I care?

> [My apologies beforehand if this is the incorrect forum for this post. > If so, please direct me to the proper group.] tcplogd of my linux box > logs repeated "www connection attempt from xxx" where xxx is some IP > address out there in the ether. These log entries repeat approximately > every few seconds or minutes for days. And they're not coming from just > one address either -- every day or so a new machine jumps in. > I've looked at the packets with tcpdump and they appear to my untrained > eye to be simple SYN packets. It looks sort of like a DDoS attack, but > instead of a SYN flood, it's a SYN trickle, since the total number of > machines I've noticed sending at any one time is typically under five > (so far), and they don't send *that* frequently. I didn't notice any > degradation in performance -- I just happened to notice all these > entries in my log files. Besides, why attack my piddly server? I'm > running the latest stable Debian with all security updates and Apache > webserver. For now I've closed down port 80. Any clues as to what's > going on, and what the appropriate response on my part would be (if > any)? My syslog files are huge with all these entries. > TIA, > Paul