You have received a lot of replies to this already, but I have a slightly different take on this. The message says the traffic is sourced from port 80 and coming back to a high port on your end that would normally be in the range used by client software (like a web browser). There actually does appear to be a service listening on port 80 at the source (205.138.3.201) but the default page is blank (you can do a "view source" in your browser and see that it is a real html page, just with no content). Telneting to the server on port 80 and issuing a GET I received the following:
HTTP/1.0 501 Not Implemented Date: Tue, 18 Feb 2003 12:39:05 GMT Server: swcd/5.0.2206 Connection: close I do not know what type of server reports itself as "swcd" but it is listed on a recent survey of popular web server tools as having about a 0.14% share of installed servers. What would be interesting is if you recently went there - maybe you didn't know you were going there, if the user has a hostname published in DNS somewhere. In any case it would be odd for a web server to initiate a connection to you (which is what would kick off a SYN flood). However, the fact that they are trying to hit you on what appears to be a client port may indicate that very thing. Does the NetGear tell you how many times they tried to connect and over what period of time? Does it tell you at least the "minimum" connections it has to see before it alerts on a SYN flood? -----Original Message----- From: Tim Laureska [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 15, 2003 9:21 AM To: security-basics Subject: TCP Syn Flooding OK. I just installed a Netgear firewall box between a cable modem and a NT 4.0 server on a small network.. and set it up to email me attempts at security breaches. I am brand new to these devices and a relative neophyte to internet/internal network security. So the question is this. I received this message a few times yesterday after I installed the box: Fri, 02/14/2003 20:35:01 - TCP connection dropped - Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - 'TCP:Syn Flooding' End of Log ---------- What should I make of this? T. Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.
