TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
In our case thats exactly what we did. We created a filter for Synfloods
involving the Proxys IP address. I have not had a problem since.
Mike
-----Original Message-----
From: derek chow [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 25, 2001 12:34 AM
To: Michael Boehnlein; 'Ramiro Antonio Marulanda Zapata';
'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: SYNFlood
Hi,
I had the same problem here and guess should be the
same reason for it. Can we just filter out these
misleading false positives?
Thanks,
Derek
--- Michael Boehnlein
<[EMAIL PROTECTED]> ���l�e�G>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
> body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
> for help with any problems!
>
----------------------------------------------------------------------------
>
> I experienced a similar situation. In our case, the
> cause of the problem
> was our Proxy Server. Because the Sensor was seeing
> the SYN requests from
> users out to the internet via the proxy, but not
> seeing the SYN ACKS as they
> were coming BACK to the proxy and being NAT'd back,
> Realsecure assumed it
> was a Synflood.
>
> Michael Boehnlein
> Network Security Engineer
> Imperial Bank
>
> -----Original Message-----
> From: Ramiro Antonio Marulanda Zapata
> [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, July 22, 2001 3:18 PM
> To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
> Subject: SYNFlood
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
> body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
> for help with any
> problems!
>
----------------------------------------------------------------------------
>
> Hi, I want to know if somebody can help me.
> Currently I am receiving too many events SYNFlood in
> those that the source
> IP address is 0.0.0.0 and the destination IP address
> is of public domain,
> that is to say, addresses of pages in Internet. Now,
> the addresses IP
> spoofing is always the same ones two belonging to
> the internal network
> segment of the company. I thank the collaboration
> that you/they can lend me.
> I have RS v. 6.0 Console and the RS Sensor Network
> v. 6.0.
>
> Regards!
>
> _____________________________________
> Ramiro Marulanda Zapata.
> Security Analyst
> Cyberia S.A., Medell�n-Colombia
> Tel. 3129320-3129321
> E-mail: [EMAIL PROTECTED]
> _____________________________________
>
>
>
>
_________________________________________________________
Do You Yahoo!?
�إ߭ӤH���� http://geocities.yahoo.com.hk
Build your own website at http://geocities.yahoo.com.hk
