[TriLUG] SYN Flood?
jason at monsterjam.org
jason at monsterjam.org
Tue Jan 23 18:57:09 EST 2007
well, according to what you said..
Source Dest
my.schools.name.server.Ithink:20375 me.athome.on.XP:26219
me.athome.on.XP:1667 some.atl.addr.31:80
some.atl.addr.31:80 me.athome.on.XP:1666
me.athome.on.Debian:3744 schools.server.addr:80
different.schools.server.addr:80 me.athome.on.Debian:3745
that that looks like normal traffic.
you (high port) -> server (tcp port 80) request for some webpage
server (tcp port 80) -> you (some high port) the servers response
you need to find out whats doing it.. do a top and see whats eating the most cpu..
probably some little shell script or c program thats just attacking.
if its still happening.
regards,
jason
On Tue, Jan 23, 2007 at 06:23:49PM -0500, MG wrote:
> I had a look, but don't know what to look for. Looks like a lot of
> heavy googling ahead.
>
> MG
>
> jason at monsterjam.org wrote:
> >Looks like someone is using you to attack those sites webservers..
> >they probably dropped some little scriptie in your /tmp thats doing this.
> >look in your process tree and look in /tmp and see if you can find
> >anything.
> >
> >Jason
> >
> >On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG
> >wrote:
> >
> >>jason at monsterjam.org wrote:
> >>
> >>
> >>>we need more details. are you by any chance using your schools DNS
> >>>server for DNS?
> >>>
> >>>
> >>Just checked back again - sorry about the delay. Not that I know of -
> >>the router address is specified in the DNS tab in the network settings
> >>utility, so I think it's using RoadRunner supplied DNSs.
> >>
> >>
> >>>SYN from from where? to where? what port(s)?
> >>>
> >>>
> >>>
> >>This is the event log:
> >>
> >>
> >>Description Count Last Occurence
> >> Target Source
> >>IP Fragmented Packet 4 FRI JAN 19 14:23:49 2007
> >>me.athome.on.XP:26219 my.schools.name.server.Ithink:20375 LAN-side SYN
> >>Flood 1 FRI JAN 19 15:26:29 2007 some.atl.addr.31:80
> >> me.athome.on.XP:1667
> >>SYN Flood 1 FRI JAN 19 15:26:29 2007
> >>me.athome.on.XP:1666 some.atl.addr.31:80
> >>LAN-side SYN Flood 1 FRI JAN 19 17:13:27 2007
> >>different.schools.server.addr:80 me.athome.on.Debian:3744
> >>SYN Flood 1 FRI JAN 19 17:13:27 2007
> >>me.athome.on.Debian:3745 different.schools.server.addr:80
> >>LAN-side SYN Flood 6 FRI JAN 19 17:13:42 2007
> >>different.schools.server.addr:80 me.athome.on.Debian:3753
> >>
> >>
> >>>etc.
> >>>
> >>>Jason
> >>>
> >>>
> >>>
> >>>
> >>I had the XP and Debian boxes up originally, then when I noticed this
> >>going on, took the XP off the network and it jumped to the Debian box.
> >>
> >>
> >>Today, its just 124 IP Fragmented Packets from my school's server to my
> >>XP box.
> >>
> >>
> >>Thanks -
> >>
> >>
> >>MG
> >>
> >>
> >>
> >>>On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
> >>>
> >>>
> >>>>Hello, all,
> >>>>
> >>>>I'm new here <waves> and just came across something fairly scary. My
> >>>>home router shows something called an IP Fragmented Packet *from my
> >>>>school's DNS server*, then there's a series of LAN-side SYN Flood, then
> >>>>just plain SYN Flood, events to and from my [innocent, I swear!]
> >>>>router's IP to some address in Atlanta, back from Atlanta, then to a
> >>>>rival school's IP address here.
> >>>>
> >>>>My systems are XP and Debian 2.6 - when I shut down the XP, it jumped
> >>>>to the Debian. Can anyone clue me into wth's going on?
> >>>>
> >>>>Many thanks -
> >>>>
> >>>>MG
> >>>>--
> >>>>TriLUG mailing list :
> >>>>http://www.trilug.org/mailman/listinfo/trilug
> >>>>TriLUG Organizational FAQ : http://trilug.org/faq/
> >>>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>>>
> >>>>
> >>>
> >>>
> >>--
> >>TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> >>TriLUG Organizational FAQ : http://trilug.org/faq/
> >>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>
> >
> >
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
--
================================================
| Jason Welsh jason at monsterjam.org |
| http://monsterjam.org DSS PGP: 0x5E30CC98 |
| gpg key: http://monsterjam.org/gpg/ |
================================================
More information about the TriLUG
mailing list