[TriLUG] SYN Flood?

jason at monsterjam.org jason at monsterjam.org
Mon Jan 22 20:53:29 EST 2007 

Looks like someone is using you to attack those sites webservers..
they probably dropped some little scriptie in your /tmp thats doing this.
look in your process tree and look in /tmp and see if you can find anything.

Jason

On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG 
wrote:
> jason at monsterjam.org wrote:
> 
> >we need more details. are you by any chance using your schools DNS server 
> >for DNS?
> >  
> 
> 
> Just checked back again  - sorry about the delay.   Not that I know of - 
> the router address is specified in the DNS tab in the network settings 
> utility, so I think it's using RoadRunner supplied DNSs.
> 
> >SYN from from where? to where? what port(s)?
> >
> >  
> 
> 
> This is the event log:
> 
> 
> Description                Count        Last Occurence                
>                Target                                        Source
> IP Fragmented Packet     4      FRI JAN 19 14:23:49 2007      
> me.athome.on.XP:26219  my.schools.name.server.Ithink:20375 LAN-side SYN 
> Flood     1      FRI JAN 19 15:26:29 2007       some.atl.addr.31:80      
>    me.athome.on.XP:1667
> SYN Flood                      1      FRI JAN 19 15:26:29 2007      
> me.athome.on.XP:1666      some.atl.addr.31:80
> LAN-side SYN Flood     1      FRI JAN 19 17:13:27 2007      
> different.schools.server.addr:80     me.athome.on.Debian:3744
> SYN Flood                     1      FRI JAN 19 17:13:27 2007      
> me.athome.on.Debian:3745     different.schools.server.addr:80
> LAN-side SYN Flood     6      FRI JAN 19 17:13:42 2007      
> different.schools.server.addr:80      me.athome.on.Debian:3753
> 
> >etc.
> >
> >Jason
> >
> >
> >  
> 
> 
> I had the XP and Debian boxes up originally, then when I noticed this 
> going on, took the XP off the network and it jumped to the Debian box.
> 
> 
> Today, its just 124 IP Fragmented Packets from my school's server to my 
> XP box.
> 
> 
> Thanks -
> 
> 
> MG
> 
> 
> >On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
> >  
> >>Hello, all,
> >>
> >>I'm new here <waves> and just came across something fairly scary.   My  
> >>home router shows  something  called an IP Fragmented Packet *from my 
> >>school's DNS server*, then there's a series of LAN-side SYN Flood, then 
> >>just plain SYN Flood, events to and from my [innocent, I swear!] 
> >>router's IP to some address in Atlanta, back from Atlanta, then to a 
> >>rival school's IP address here.
> >>
> >>My systems are XP and Debian 2.6 - when I shut down the XP, it jumped to 
> >>the Debian.   Can anyone clue me into wth's going on?
> >>
> >>Many thanks -
> >>
> >>MG
> >>-- 
> >>TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> >>TriLUG Organizational FAQ  : http://trilug.org/faq/
> >>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>    
> >
> >  
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-- 
================================================
|    Jason Welsh   jason at monsterjam.org        |
| http://monsterjam.org    DSS PGP: 0x5E30CC98 |
|    gpg key: http://monsterjam.org/gpg/       |
================================================

More information about the TriLUG mailing list