Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Spam and SYN Flood?

from [Peter Kosinar] Network Security [Permanent Link]
Subject: Re: Spam and SYN Flood?
Date: Thu, 21 Dec 2006 01:52:52 +0100 (CET) 
Hello Curt,

I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to
4096, as well as shorten the amount of time that a SYN connection
existed on the server.  What I'm looking for is, am I creating a denial
of service for myself, or is this coming from somewhere else that I'm
just not expecting.  If so, is there a way to trace this, or not?

Example of syn_recv from netstat -anp output

(this can go on for about 1500 connections, so that's why only about 15
listed)

At the first glance, it seems you're blocking the connections too late -- i.e. after the initial SYN packet had been received. I haven't played with ipchains for ages, but couldn't you, by accident, have blocked the communication in the other direction instead of the right one? That would effectively block the SYN/ACK which is sent as an answer for the initial SYN, thus causing the symptoms you're observing.

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Spam and SYN Flood?, Curt LeCaptain
Next by Date:  MS06-044 XSS exploits in the wild, Moyer, Shawn - St. Louis, MO
Previous by Thread:  Spam and SYN Flood?, Curt LeCaptain
Next by Thread:  MS06-044 XSS exploits in the wild, Moyer, Shawn - St. Louis, MO
Indexes:  [Date] [Thread] [Top] [All Lists]