[TriLUG] SYN Flood?

MG mgmonza at gmail.com
Sun Jan 21 20:15:20 EST 2007


jason at monsterjam.org wrote:

> we need more details. are you by any chance using your schools DNS server for DNS?
>   


Just checked back again  - sorry about the delay.   Not that I know of - 
the router address is specified in the DNS tab in the network settings 
utility, so I think it's using RoadRunner supplied DNSs.

> SYN from from where? to where? what port(s)?
>
>   


This is the event log:


Description                Count        Last Occurence                
                Target                                        Source
IP Fragmented Packet     4      FRI JAN 19 14:23:49 2007      
me.athome.on.XP:26219  my.schools.name.server.Ithink:20375 LAN-side SYN 
Flood     1      FRI JAN 19 15:26:29 2007       some.atl.addr.31:80      
    me.athome.on.XP:1667
SYN Flood                      1      FRI JAN 19 15:26:29 2007      
 me.athome.on.XP:1666      some.atl.addr.31:80
LAN-side SYN Flood     1      FRI JAN 19 17:13:27 2007      
 different.schools.server.addr:80     me.athome.on.Debian:3744
SYN Flood                     1      FRI JAN 19 17:13:27 2007      
 me.athome.on.Debian:3745     different.schools.server.addr:80
LAN-side SYN Flood     6      FRI JAN 19 17:13:42 2007      
 different.schools.server.addr:80      me.athome.on.Debian:3753

> etc.
>
> Jason
>
>
>   


I had the XP and Debian boxes up originally, then when I noticed this 
going on, took the XP off the network and it jumped to the Debian box.


Today, its just 124 IP Fragmented Packets from my school's server to my 
XP box.


Thanks -


MG


> On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
>   
>> Hello, all,
>>
>> I'm new here <waves> and just came across something fairly scary.   My  
>> home router shows  something  called an IP Fragmented Packet *from my 
>> school's DNS server*, then there's a series of LAN-side SYN Flood, then 
>> just plain SYN Flood, events to and from my [innocent, I swear!] 
>> router's IP to some address in Atlanta, back from Atlanta, then to a 
>> rival school's IP address here.
>>
>> My systems are XP and Debian 2.6 - when I shut down the XP, it jumped to 
>> the Debian.   Can anyone clue me into wth's going on?
>>
>> Many thanks -
>>
>> MG
>> -- 
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>     
>
>   



More information about the TriLUG mailing list