TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hi Paul (and everyone else!), Thanks for the incite into web crawlers but the weird thing is that the source address of the SYNfloods are often from an IP devices that have been decommissioned and thus are not alive. I'm itching to find out what's causing all this and I'll post it up once I've found out. Cheers Jon -----Original Message----- From: Paul Van Gurp [mailto:[EMAIL PROTECTED]] Sent: 16 August 2002 18:16 To: Saran; Eng. Ahed M. Okasha; [EMAIL PROTECTED] Subject: RE: outbound SYNfloods from sources that are live This could be some sort of internal "web crawler". A user connects to an internal web server or logs in locally and then makes a request from that server to find information from many external web sites...making it look like a Syn flood. This would be normal traffic in that case. The best way to check this is to take one of the interal IP addresses and track it down to identify what services are running on the box. You could also try to identify what URL's the synfloods are targetting. Do they look legitimate or are they targetting a known vulnerable script or something...such as the Code Red exploit... You can actually install a host based IDS on the server or put a sniffer on it so you can look at the bits and bytes of the traffic. Hope that helps. Paul -----Original Message----- From: Saran [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 6:55 PM To: Paul Van Gurp; 'Eng. Ahed M. Okasha'; [EMAIL PROTECTED] Subject: RE: outbound SYNfloods from sources that are live TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Iam seeing syn flood for Port 80 which in my case is a legitimate traffic. regards saran **************************************************** Before being delivered to the Accenture Warwick Microsoft Exchange system, this email (including any attachments) was scanned by Mailsweeper for viruses and inappropriate content, according to Accenture's standard email policy. Accenture reserves the right to monitor email from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. **************************************************** ********************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you must not copy, distribute or take any action in reliance on it. Opinions expressed are those of the individual sender and not of Accenture. If you have received this email in error please notify the sender by return email. This footnote confirms that this email message has been checked for viruses and inappropriate content. Accenture reserves the right to monitor email communications from external and internal sources for the purpose of ensuring correct and appropriate use of Accenture communication equipment. *********************************************************************
