TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hi Everyone, Recently as well as detecting the normal inbound SYNfloods our RealSecure v6.5 is detecting outbound SYNfloods which have spoofed source addresses which reside within our network. The spoofed source addresses from our network are Internet RIPE reserved but often are not live and active. The destination port is often 80 but can be other ports. My question is are these real SYNfloods? The sources address are not active so if they are whatever is generating them is definitely spoofing the source. I'm I right in thinking that the sensor cannot alert a SYNflood in the wrong direction (as it can with backdoor signatures) because it only looks for initial the SYN so the direction is always confirmed. The alert appears as:- (please note I have substituted the addresses with letters) 'SYNFlood' event detected by the RealSecure 'wcciss001' at 'x.x.x.x'. Details: Source Address: 0.0.0.0 Source Port: Any Source MAC Address: 08:00:20:9D:76:9D Destination Address: a.b.c.d (where a.b.c.d is an external Internet address) Destination Port: HTTP (80) Destination MAC Address: 08:00:20:C2:41:F8 Time: 2002-07-05 09:11:19 UTC Protocol: TCP (6) Priority: medium Actions: DISPLAY=Default:0,LOGDB=LogWithoutRaw:0,EMAIL=Default:0,SNMP=Default:0 Event Specific Information: :SPOOFEDSRC: w.x.y.z (where w.x.y.z is an Internet address within our datacentre) *** Past Updates *** Cheers Jon Hughes Network Analyst ********************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Opinions expressed are those of the individual sender and not of Accenture. If you have received this email in error please notify the sender by return email. This footnote confirms that this email message has been checked for viruses and inappropriate content. Accenture reserves the right to monitor email communications from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. *********************************************************************
