[TriLUG] SYN Flood?

jason at monsterjam.org jason at monsterjam.org
Tue Jan 23 18:57:09 EST 2007 

well, according to what you said..

Source						Dest
my.schools.name.server.Ithink:20375		me.athome.on.XP:26219
me.athome.on.XP:1667				some.atl.addr.31:80
some.atl.addr.31:80				me.athome.on.XP:1666
me.athome.on.Debian:3744			schools.server.addr:80
different.schools.server.addr:80		me.athome.on.Debian:3745

that that looks like normal traffic.
you (high port)      ->   server (tcp port 80)  request for some webpage
server (tcp port 80) ->   you  (some high port) the servers response

you need to find out whats doing it.. do a top and see whats eating the most cpu..
probably some little shell script or c program thats just attacking.
if its still happening.

regards,
jason




On Tue, Jan 23, 2007 at 06:23:49PM -0500, MG wrote:
> I had a look, but don't know what to look for.  Looks like a lot of 
> heavy googling ahead.
> 
> MG
> 
> jason at monsterjam.org wrote:
> >Looks like someone is using you to attack those sites webservers..
> >they probably dropped some little scriptie in your /tmp thats doing this.
> >look in your process tree and look in /tmp and see if you can find 
> >anything.
> >
> >Jason
> >
> >On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG 
> >wrote:
> >  
> >>jason at monsterjam.org wrote:
> >>
> >>    
> >>>we need more details. are you by any chance using your schools DNS 
> >>>server for DNS?
> >>> 
> >>>      
> >>Just checked back again  - sorry about the delay.   Not that I know of - 
> >>the router address is specified in the DNS tab in the network settings 
> >>utility, so I think it's using RoadRunner supplied DNSs.
> >>
> >>    
> >>>SYN from from where? to where? what port(s)?
> >>>
> >>> 
> >>>      
> >>This is the event log:
> >>
> >>
> >>Description                Count        Last Occurence                
> >>               Target                                        Source
> >>IP Fragmented Packet     4      FRI JAN 19 14:23:49 2007      
> >>me.athome.on.XP:26219  my.schools.name.server.Ithink:20375 LAN-side SYN 
> >>Flood     1      FRI JAN 19 15:26:29 2007       some.atl.addr.31:80      
> >>   me.athome.on.XP:1667
> >>SYN Flood                      1      FRI JAN 19 15:26:29 2007      
> >>me.athome.on.XP:1666      some.atl.addr.31:80
> >>LAN-side SYN Flood     1      FRI JAN 19 17:13:27 2007      
> >>different.schools.server.addr:80     me.athome.on.Debian:3744
> >>SYN Flood                     1      FRI JAN 19 17:13:27 2007      
> >>me.athome.on.Debian:3745     different.schools.server.addr:80
> >>LAN-side SYN Flood     6      FRI JAN 19 17:13:42 2007      
> >>different.schools.server.addr:80      me.athome.on.Debian:3753
> >>
> >>    
> >>>etc.
> >>>
> >>>Jason
> >>>
> >>>
> >>> 
> >>>      
> >>I had the XP and Debian boxes up originally, then when I noticed this 
> >>going on, took the XP off the network and it jumped to the Debian box.
> >>
> >>
> >>Today, its just 124 IP Fragmented Packets from my school's server to my 
> >>XP box.
> >>
> >>
> >>Thanks -
> >>
> >>
> >>MG
> >>
> >>
> >>    
> >>>On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
> >>> 
> >>>      
> >>>>Hello, all,
> >>>>
> >>>>I'm new here <waves> and just came across something fairly scary.   My  
> >>>>home router shows  something  called an IP Fragmented Packet *from my 
> >>>>school's DNS server*, then there's a series of LAN-side SYN Flood, then 
> >>>>just plain SYN Flood, events to and from my [innocent, I swear!] 
> >>>>router's IP to some address in Atlanta, back from Atlanta, then to a 
> >>>>rival school's IP address here.
> >>>>
> >>>>My systems are XP and Debian 2.6 - when I shut down the XP, it jumped 
> >>>>to the Debian.   Can anyone clue me into wth's going on?
> >>>>
> >>>>Many thanks -
> >>>>
> >>>>MG
> >>>>-- 
> >>>>TriLUG mailing list        : 
> >>>>http://www.trilug.org/mailman/listinfo/trilug
> >>>>TriLUG Organizational FAQ  : http://trilug.org/faq/
> >>>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>>>   
> >>>>        
> >>> 
> >>>      
> >>-- 
> >>TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> >>TriLUG Organizational FAQ  : http://trilug.org/faq/
> >>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>    
> >
> >  
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-- 
================================================
|    Jason Welsh   jason at monsterjam.org        |
| http://monsterjam.org    DSS PGP: 0x5E30CC98 |
|    gpg key: http://monsterjam.org/gpg/       |
================================================

More information about the TriLUG mailing list