[TriLUG] SYN Flood?

MG mgmonza at gmail.com
Tue Jan 23 18:23:49 EST 2007


I had a look, but don't know what to look for.  Looks like a lot of 
heavy googling ahead.

MG

jason at monsterjam.org wrote:
> Looks like someone is using you to attack those sites webservers..
> they probably dropped some little scriptie in your /tmp thats doing this.
> look in your process tree and look in /tmp and see if you can find anything.
>
> Jason
>
> On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG 
> wrote:
>   
>> jason at monsterjam.org wrote:
>>
>>     
>>> we need more details. are you by any chance using your schools DNS server 
>>> for DNS?
>>>  
>>>       
>> Just checked back again  - sorry about the delay.   Not that I know of - 
>> the router address is specified in the DNS tab in the network settings 
>> utility, so I think it's using RoadRunner supplied DNSs.
>>
>>     
>>> SYN from from where? to where? what port(s)?
>>>
>>>  
>>>       
>> This is the event log:
>>
>>
>> Description                Count        Last Occurence                
>>                Target                                        Source
>> IP Fragmented Packet     4      FRI JAN 19 14:23:49 2007      
>> me.athome.on.XP:26219  my.schools.name.server.Ithink:20375 LAN-side SYN 
>> Flood     1      FRI JAN 19 15:26:29 2007       some.atl.addr.31:80      
>>    me.athome.on.XP:1667
>> SYN Flood                      1      FRI JAN 19 15:26:29 2007      
>> me.athome.on.XP:1666      some.atl.addr.31:80
>> LAN-side SYN Flood     1      FRI JAN 19 17:13:27 2007      
>> different.schools.server.addr:80     me.athome.on.Debian:3744
>> SYN Flood                     1      FRI JAN 19 17:13:27 2007      
>> me.athome.on.Debian:3745     different.schools.server.addr:80
>> LAN-side SYN Flood     6      FRI JAN 19 17:13:42 2007      
>> different.schools.server.addr:80      me.athome.on.Debian:3753
>>
>>     
>>> etc.
>>>
>>> Jason
>>>
>>>
>>>  
>>>       
>> I had the XP and Debian boxes up originally, then when I noticed this 
>> going on, took the XP off the network and it jumped to the Debian box.
>>
>>
>> Today, its just 124 IP Fragmented Packets from my school's server to my 
>> XP box.
>>
>>
>> Thanks -
>>
>>
>> MG
>>
>>
>>     
>>> On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
>>>  
>>>       
>>>> Hello, all,
>>>>
>>>> I'm new here <waves> and just came across something fairly scary.   My  
>>>> home router shows  something  called an IP Fragmented Packet *from my 
>>>> school's DNS server*, then there's a series of LAN-side SYN Flood, then 
>>>> just plain SYN Flood, events to and from my [innocent, I swear!] 
>>>> router's IP to some address in Atlanta, back from Atlanta, then to a 
>>>> rival school's IP address here.
>>>>
>>>> My systems are XP and Debian 2.6 - when I shut down the XP, it jumped to 
>>>> the Debian.   Can anyone clue me into wth's going on?
>>>>
>>>> Many thanks -
>>>>
>>>> MG
>>>> -- 
>>>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>>>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>>    
>>>>         
>>>  
>>>       
>> -- 
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>     
>
>   



More information about the TriLUG mailing list