At 10:28 AM 2/4/99 -0500, [EMAIL PROTECTED] is said to have written:
>We have been having the same problem. The source port is some well know
service
>like telnet or http and the destination port
>is 1092 in our case. The ACK and RST bits are set as if it is an attempt to
>break into an already existing TCP session.
ack and rst? Are you sure?
In any case, you might have been the victim of someone else's syn DOS
attack on the origin of that packet.
The Syn goes out from the attacker with a randomly selected IP Source
address. It is sent to some well known port.
The ack comes back to that random IP address, from the victim's IP address
and the well known port.
This is likely to be that ack.
>Do you have a log of the source IP numbers to share to help track down
culprit?
They may not be attacking you...they may be victims.
--
That which does not kill us, makes us stronger.
That which does kill us makes us smell stronger, after a few days, anyway.
Nick Simicich mailto:[EMAIL PROTECTED] or (last choice)
mailto:[EMAIL PROTECTED]
http://scifi.squawk.com/njs.html -- Stop by and Light Up The World!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
