Go to sysinternals.com and get a few of the utilities there. TCPview (used to be Netmon) and filemon. This should help you track things down. You won't know what you did without then and NT before :)
> -----Original Message----- > From: Tim Laureska [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 2:17 PM > To: 'Chris Santerre'; 'Steve Suehring' > Cc: 'security-basics' > Subject: RE: TCP Syn Flooding > > > The IRC programs pops up in a window when you start the NT box... you > can close it down easily enough.... but I'll be darned if I can find > where the program is > > -----Original Message----- > From: Chris Santerre [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 2:08 PM > To: 'Steve Suehring'; Tim Laureska > Cc: security-basics > Subject: RE: TCP Syn Flooding > > You mentioned an IRC program on the NT box. Is it still running or did > you > kill it? It could be trying to "phone home". Just another idea. > > > -----Original Message----- > > From: Steve Suehring [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 8:57 AM > > To: Tim Laureska > > Cc: security-basics > > Subject: Re: TCP Syn Flooding > > > > > > > > While I obviously can't guarantee it, I would sincerely doubt > > that there > > is a true syn flood taking place sourced in the doubleclick > > network. What > > were you doing at the time? Possibly surfing the web? Those > > source and > > destination ports look awfully like you were surfing the web and > > doubleclick's side tried to open a connection to you for their load > > balancing software. > > > > My guess would be that the netgear is picking up a false positive. > > > > Searching deja reveals that this may be the case after all: > > > > http://groups.google.com/groups?oi=djq&selm=an_523012517 > > > > Steve > > > > > > > > > > On Sat, Feb 15, 2003 at 09:20:46AM -0500, Tim Laureska wrote: > > > OK. I just installed a Netgear firewall box between a cable > > modem and a > > > NT 4.0 server on a small network.. and set it up to email > > me attempts at > > > security breaches. I am brand new to these devices and a relative > > > neophyte to internet/internal network security. So the > question is > > > this. > > > > > > I received this message a few times yesterday after I > > installed the box: > > > > > > > > > Fri, 02/14/2003 20:35:01 - TCP connection dropped - > > > Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, > > 20306, LAN - > > > 'TCP:Syn Flooding' End of Log ---------- > > > > > > What should I make of this? > > > > > > T. > > > > > > > > > > > >
