This could be some sort of internal "web crawler". A user connects to an internal web server or logs in locally and then makes a request from that server to find information from many external web sites...making it look like a Syn flood. This would be normal traffic in that case. The best way to check this is to take one of the interal IP addresses and track it down to identify what services are running on the box.
You could also try to identify what URL's the synfloods are targetting. Do they look legitimate or are they targetting a known vulnerable script or something...such as the Code Red exploit... You can actually install a host based IDS on the server or put a sniffer on it so you can look at the bits and bytes of the traffic. Hope that helps. Paul -----Original Message----- From: Saran [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 6:55 PM To: Paul Van Gurp; 'Eng. Ahed M. Okasha'; [EMAIL PROTECTED] Subject: RE: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Iam seeing syn flood for Port 80 which in my case is a legitimate traffic. regards saran
<<winmail.dat>>
