Re: [cwe-lug] SYN Attack

Wed, 13 Apr 2005 22:12:44 -0700 

On Wednesday 13 April 2005 11:09 pm, Bob Therina wrote:
> Anyone know anything about SYN attacks? My router is detecting it and
> dropping the packets but there's no IP address or anything in the log.
> I read a couple things but not really sure what they mean.
>
> Also, I just looked in my apache access log and have some unusual
> entries like the following:
>
> 82.96.96.3 - - [13/Apr/2005:17:04:01 +0000] "CONNECT 82.96.96.3:802
> HTTP/1.0" 405 298 "-" "-" "-"
> 82.96.96.3 - - [13/Apr/2005:17:04:22 +0000] "POST
> http://82.96.96.3:802/ HTTP/1.0" 405 295 "-" "-" "-"
> 82.96.96.3 - - [13/Apr/2005:17:20:14 +0000] "POST
> http://82.96.96.3:802/ HTTP/1.0" 405 295 "-" "-" "-"
> 82.96.96.3 - - [13/Apr/2005:17:20:14 +0000] "CONNECT 82.96.96.3:802
> HTTP/1.0" 405 298 "-" "-" "-

SYN probes are a type of scan used by nmap. Here's what man nmap said:

       -sS    TCP SYN scan: This technique is often referred to as "half-open"
              scanning, because you don't open a full TCP connection. You send
              a SYN packet, as if you are going to open a real connection  and
              you wait for a response. A SYN|ACK indicates the port is listen-
              ing. A RST is indicative of a non-listener.   If  a  SYN|ACK  is
              received,  a RST is immediately sent to tear down the connection
              (actually our OS kernel does this for us). The primary advantage
              to  this  scanning  technique  is  that fewer sites will log it.
              Unfortunately you need root privileges to build these custom SYN
              packets.  This is the default scan type for privileged users.

it's basically a more stealthy scan than a straight-up ping scan.

i use it when i use nmap.

i wouldn't worry about it. your router/firewall is blocking it.

scott

-- 
R. Scott Granneman
[EMAIL PROTECTED] ~ www.granneman.com
Full list of publications: http://www.granneman.com/publications
  My new book on Firefox: Don't Click on the Blue E!
    Info at: http://www.oreilly.com/catalog/bluee/
  Read the Open Source Blog: http://opensource.weblogsinc.com
  Join GranneNotes! Information at www.granneman.com

"The great geniuses of the past still rule over us from their graves; they 
still stalk or scurry about in the present, tripping up the living, 
mysteriously congesting the traffic, confusing values in art and manners, a 
brilliant cohort of mortals determined not to die, in possession of the 
land."
      ---Wyndam Lewis (1915)
_______________________________________________
CWE-LUG mailing list
http://www.cwelug.org/    
[email protected]
http://lists.firepipe.net/listinfo/cwe-lug

Reply via email to