David:
Heya. I like it, though I'd suggest some touch
ups to the first paragraph (turning it into two):
--------
This question is often asked by firewall users
that find dozens, if not hundreds, of TCP packets being
logged which were destined to their firewall's DNS port
(TCP port number 53). These packets originate from many
different IP address, where each sends anywhere from 5
to 8 packets, all within the space few seconds.
When caught with tcpdump, these packets will have
the SYN and ACK flags set, as if responding to a legitimate
TCP initiation packet. Since the firewall did not actually
attempt to initiate a connection, it will instinctively
reply with a TCP packet with the RST flag set (along with
logging the packet in the firewall logs). The presumption
is that it is this scan's intent to generate these RST
packets, and to use them in an ad-hoc load-balancing
scheme.
These scans seem correlated with visiting certain
web pages, ones using some peculiar load-balancing...etc,
etc...
--------
Just some suggestions. :)
-Scott
On Fri, 25 May 2001, David Douthitt wrote:
> I submitted a new FAQ under section 9: Why am I getting SYN/ACK floods
> to my DNS port? (or something like that).
>
> Tell me what you think, hack it up, etc.
>
> Perhaps the Lion worm should be mentioned?
>
> _______________________________________________
> Leaf-devel mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-devel
>
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
