TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hi Brian, I take you point on high volume SMTP and HTTP traffic but we are used to spotting this type of traffic, we would see the SMTP coming from our mail relays and HTTP to our web hosts but these floods are from IP addresses which are not hosts within the site. Cheers Jon -----Original Message----- From: Fitch, Brian (ISS Atlanta) [mailto:[EMAIL PROTECTED]] Sent: 16 July 2002 20:49 To: 'Eng. Ahed M. Okasha'; [EMAIL PROTECTED] Subject: RE: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- You're probably getting SYNFlood detected on high volume SMTP or HTTP traffic. This usually indicates that the SYNFlood decode needs to be adjusted in its advanced properties for your environment. SYNFlood detection has been discussed frequently on the ISSForum. The archives are kept at http://archives.neohapsis.com/archives/iss/ and most likely contain the answers you're looking for regarding detection and analysis. The ISS KnowledgeBase (http://www.iss.net/support/knowledgebase/) also has an article about SYNFlood, reference Answer ID 122 entitled "How can I reduce the volume of SYNFlood alerts?" Brian Fitch Systems Engineer Internet Security Systems, Inc. -----Original Message----- From: Eng. Ahed M. Okasha [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 1:09 AM To: [EMAIL PROTECTED] Subject: FW: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, Yes I'm having the same problem here, could someone please Verify that this isn't a real attack going outside or explain What it is exactly and how to fix this problem? Thanks, Eng. Ahed M. Okasha IT Security -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hughes, Jon Sent: Thursday, July 11, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ------------------------------------------------------------------------ ---- Hi Everyone, Recently as well as detecting the normal inbound SYNfloods our RealSecure v6.5 is detecting outbound SYNfloods which have spoofed source addresses which reside within our network. The spoofed source addresses from our network are Internet RIPE reserved but often are not live and active. The destination port is often 80 but can be other ports. My question is are these real SYNfloods? The sources address are not active so if they are whatever is generating them is definitely spoofing the source. I'm I right in thinking that the sensor cannot alert a SYNflood in the wrong direction (as it can with backdoor signatures) because it only looks for initial the SYN so the direction is always confirmed. The alert appears as:- (please note I have substituted the addresses with letters) 'SYNFlood' event detected by the RealSecure 'wcciss001' at 'x.x.x.x'. Details: Source Address: 0.0.0.0 Source Port: Any Source MAC Address: 08:00:20:9D:76:9D Destination Address: a.b.c.d (where a.b.c.d is an external Internet address) Destination Port: HTTP (80) Destination MAC Address: 08:00:20:C2:41:F8 Time: 2002-07-05 09:11:19 UTC Protocol: TCP (6) Priority: medium Actions: DISPLAY=Default:0,LOGDB=LogWithoutRaw:0,EMAIL=Default:0,SNMP=Default:0 Event Specific Information: :SPOOFEDSRC: w.x.y.z (where w.x.y.z is an Internet address within our datacentre) *** Past Updates *** Cheers Jon Hughes Network Analyst ********************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Opinions expressed are those of the individual sender and not of Accenture. If you have received this email in error please notify the sender by return email. This footnote confirms that this email message has been checked for viruses and inappropriate content. Accenture reserves the right to monitor email communications from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. ********************************************************************* **************************************************** Before being delivered to the Accenture Warwick Microsoft Exchange system, this email (including any attachments) was scanned by Mailsweeper for viruses and inappropriate content, according to Accenture's standard email policy. Accenture reserves the right to monitor email from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. **************************************************** ********************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Opinions expressed are those of the individual sender and not of Accenture. If you have received this email in error please notify the sender by return email. This footnote confirms that this email message has been checked for viruses and inappropriate content. Accenture reserves the right to monitor email communications from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. *********************************************************************
