TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Iam seeing syn flood for Port 80 which in my case is a legitimate traffic. regards saran -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Van Gurp Sent: Wednesday, July 17, 2002 4:28 AM To: 'Eng. Ahed M. Okasha'; [EMAIL PROTECTED] Subject: RE: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- If you are getting synfloods to other ports like 6346 and 1214, your users are using mp3 programs like Gnutella and Kazaa or Morpheus. We see these all the time but we don't allow them trhough the firewall. The music program, upon startup, or when performing a search, goes out to hundreds of servers...sends a syn to open a connection to each server...which triggers the synflood. Make sure you identify all ports that are involved in the synfloods as sometimes they could be trojans as well. Hope that helps. -----Original Message----- From: Eng. Ahed M. Okasha [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 1:09 AM To: [EMAIL PROTECTED] Subject: FW: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, Yes I'm having the same problem here, could someone please Verify that this isn't a real attack going outside or explain What it is exactly and how to fix this problem? Thanks, Eng. Ahed M. Okasha IT Security -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Hughes, Jon Sent: Thursday, July 11, 2002 1:37 PM To: '[EMAIL PROTECTED]' Subject: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ------------------------------------------------------------------------ ---- Hi Everyone, Recently as well as detecting the normal inbound SYNfloods our RealSecure v6.5 is detecting outbound SYNfloods which have spoofed source addresses which reside within our network. The spoofed source addresses from our network are Internet RIPE reserved but often are not live and active. The destination port is often 80 but can be other ports. My question is are these real SYNfloods? The sources address are not active so if they are whatever is generating them is definitely spoofing the source. I'm I right in thinking that the sensor cannot alert a SYNflood in the wrong direction (as it can with backdoor signatures) because it only looks for initial the SYN so the direction is always confirmed. The alert appears as:- (please note I have substituted the addresses with letters) 'SYNFlood' event detected by the RealSecure 'wcciss001' at 'x.x.x.x'. Details: Source Address: 0.0.0.0 Source Port: Any Source MAC Address: 08:00:20:9D:76:9D Destination Address: a.b.c.d (where a.b.c.d is an external Internet address) Destination Port: HTTP (80) Destination MAC Address: 08:00:20:C2:41:F8 Time: 2002-07-05 09:11:19 UTC Protocol: TCP (6) Priority: medium Actions: DISPLAY=Default:0,LOGDB=LogWithoutRaw:0,EMAIL=Default:0,SNMP=Default:0 Event Specific Information: :SPOOFEDSRC: w.x.y.z (where w.x.y.z is an Internet address within our datacentre) *** Past Updates *** Cheers Jon Hughes Network Analyst ********************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Opinions expressed are those of the individual sender and not of Accenture. If you have received this email in error please notify the sender by return email. This footnote confirms that this email message has been checked for viruses and inappropriate content. Accenture reserves the right to monitor email communications from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. ********************************************************************* ________________________________________________________________________ This message and any attachments have been scanned for viruses during transmission from Washington Trust Bank. ________________________________________________________________________ NOTICE: This e-mail may contain confidential or privileged material and is intended for use solely by the above-referenced recipient. Any review, copying, printing, disclosure, distribution, or other use by any other person or entity is strictly prohibited. If you are not the named recipient, or believe you have received this e-mail in error, please reply to the sender and delete the copy you received. Thank you.
