TCP SYN Flooding? 65.99.220.89

Status
Not open for further replies.

neftv

SatelliteGuys Pro
Original poster
Dec 9, 2005
199
0
PA USA
TCP SYN Flooding ** <IP/TCP> 192.168.2.12:2034 ->> 65.99.220.89:80

I seen this happen few times where I lose connection and in my router log I see the above message. What does that mean? THe IP address is your web site?
 
What is SYN Flooding?

Situation:
You need to know what SYN Flooding is, and how you can stop such attacks.

Solution:
SYN Flooding is a denial of service attack. SYN Flooding occurs in TCP/IP communications when the lack of an ACK response results in half-open connection states. On some computers, too many half-open states prevents legitimate connections from being established.


http://www.iss.net/security_center/advice/Exploits/TCP/SYN_flood/default.htm

http://www.securityfocus.com/infocus/1729

http://www.cert.org/advisories/CA-1996-21.html
 
Last edited:
Your router could stop the SYN packets, however, to stop the problems make sure you are current with the critical updates from Microsoft Windows Update and make sure you run anti-virus and anti- spyware software for additional security.

If you do not wish to purchase AV software, http://free.grisoft.com/doc/1 has free commercial software. I am sure it is an IP spoof as Scott runs linux and apache web-servers (even though out of date :))
 
There are certain versions which report those issues on vBulletin sites. The suggestion from vBulletin is for the user to get buy the latest version of the software.

We have had users have this issue in the past and this has fixed it for them.
 
ah, to that I should have added before that I am specifically using Symantec NIS (full suite) 2007 version, complete with the latest available updates.
 
I am sure it is an IP spoof as Scott runs linux and apache web-servers (even though out of date :))

What?

It is _not_ an IP spoof, the attacking IP [1] was his machines LAN ip (192.168.2.12 [2]), and the target was Scotts webserver (see the little ->> arrow, it shows the direction of the attack).

[1]: Not really an attack, the users brain-dead software (or firmware as the case may be) saw multiple connections created by the users browser as a synflood, and there was either some lag or packet dropping, which along with a premature timeout (awaiting ACKs), kept the soft/firmware from seeing the ACKs, a sure sign of brain-dead coding, or a misconfiguration in the firewall settings, probably combined with an over-eager browser (like IE7 or Firefox with the FasterFox plugin (cranked up all the way), or sometimes download accelerators).

[2]: The LAN ip is also a RFC1918 address which are usually not routable over the public internet, and most ISPs do egress filtering, and most firewalls (such as iptables) can be, and usually are configured to not allow incoming from RFC1918 addressess into an outward facing interface from the outside, so spoofing as one of these ips would be likely futile.

P.S. I just _have_ to know, what does what server software Scott use have anything to do with syn flooding or spoofing?
 
Last edited:
Thanks for the AV suggestion above. Is that one as good as Trend Micro?
I use Trend Micro Internet Security 2007 if thats any help and I have a microsoft MN100 router in DHCP mode going to my VOIP Adapter doing PPPoE then going to my DSLModem in bridge mode. It only happens with this site It may fine for few days then all of a sudden this happens and I actually lose my connection.
It's an interesting problem I not seen before.
 
If he is using a software firewall (for example, Norton), he needs to add his networks subnet (either the /32 or the /24 if more than one machine on the LAN) to the trusted networks list, so this false alert won't trigger again, because right now, the software seems to consider his LAN address as a foreign address, which leads us back to my other post regarding misconfiguration.
 
[2]: The LAN ip is also a RFC1918 address which are usually not routable over the public internet, and most ISPs do egress filtering, and most firewalls (such as iptables) can be, and usually are configured to not allow incoming from RFC1918 addressess into an outward facing interface from the outside, so spoofing as one of these ips would be likely futile.
192.x.x.x IS non-routable, it is his NAT that take care of the routing here is a quick read for you on RFC1631


P.S. I just _have_ to know, what does what server software Scott use have anything to do with syn flooding or spoofing?
Nothing with the spoof, but Linux 2.4.17 and up have SYN protection built-n to the kernel, but he is way behind on apache.
 
ah, to that I should have added before that I am specifically using Symantec NIS (full suite) 2007 version, complete with the latest available updates.
Norton and McAfee are the WORST two home use products available. Not from a protection standpoint, just as far as resource pigs. After your protection expires give AVG a whirl, it is much lighter and smaller.
 
I have absolutely NO, ZERO, NADDA issue with Norton and resources. And until the day comes that i do, I'll chose to stay protected. I tried free once and got burned; never another issue since. So lets please not hijack this thread for yet another free vs paid blowout again.
 
I have absolutely NO, ZERO, NADDA issue with Norton and resources. And until the day comes that i do, I'll chose to stay protected. I tried free once and got burned; never another issue since.
RONTFLMAO, my father-in-law bought a new PC MONDAY and called me because he could not connect to the Internet via DSL out of the box, his Norton firewall disabled the access. Don;t get me wrong, at one point Norton was God, now they plain suck. I think I still have my NDD 4 around here.
 
Status
Not open for further replies.

Users Who Are Viewing This Thread (Total: 0, Members: 0, Guests: 0)

Who Read This Thread (Total Members: 1)

Top