[TriLUG] SYN Flood?

MG mgmonza at gmail.com
Wed Jan 24 14:54:53 EST 2007


Hi,


I'd have thought those were normal too, except they showed up on my 
router's firewall event page, which hitherto had been blank, and all the 
exchanges start with either a fragmentation warning or a syn flood 
waring.  The ones from my schools server start off the series and always 
with an IP Fragmented Package warning, then the rest get going. 


I did do a top, but it showed only a root init process as #1 and then 
the normal Mozilla and other vaguely familiar processes on down the line.


It could be and probably is my own inexperience at setting up a home 
network - something like not specifying the right domain name servers or 
putting those names in the wrong place.  Learning and challenges being 
part of the reason I switched to Linux, it's delivering as promised :) 


And I'll second David M's appreciation - information from folks such as 
yourself and the others on this list keeps those learning curves from 
going off into infinity.


MG

jason at monsterjam.org wrote:
> well, according to what you said..
>
> Source						Dest
> my.schools.name.server.Ithink:20375		me.athome.on.XP:26219
> me.athome.on.XP:1667				some.atl.addr.31:80
> some.atl.addr.31:80				me.athome.on.XP:1666
> me.athome.on.Debian:3744			schools.server.addr:80
> different.schools.server.addr:80		me.athome.on.Debian:3745
>
> that that looks like normal traffic.
> you (high port)      ->   server (tcp port 80)  request for some webpage
> server (tcp port 80) ->   you  (some high port) the servers response
>
> you need to find out whats doing it.. do a top and see whats eating the most cpu..
> probably some little shell script or c program thats just attacking.
> if its still happening.
>
> regards,
> jason
>
>
>
>
> On Tue, Jan 23, 2007 at 06:23:49PM -0500, MG wrote:
>   
>> I had a look, but don't know what to look for.  Looks like a lot of 
>> heavy googling ahead.
>>
>> MG
>>
>> jason at monsterjam.org wrote:
>>     
>>> Looks like someone is using you to attack those sites webservers..
>>> they probably dropped some little scriptie in your /tmp thats doing this.
>>> look in your process tree and look in /tmp and see if you can find 
>>> anything.
>>>
>>> Jason
>>>
>>> On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG 
>>> wrote:
>>>  
>>>       
>>>> jason at monsterjam.org wrote:
>>>>
>>>>    
>>>>         
>>>>> we need more details. are you by any chance using your schools DNS 
>>>>> server for DNS?
>>>>>
>>>>>      
>>>>>           
>>>> Just checked back again  - sorry about the delay.   Not that I know of - 
>>>> the router address is specified in the DNS tab in the network settings 
>>>> utility, so I think it's using RoadRunner supplied DNSs.
>>>>
>>>>    
>>>>         
>>>>> SYN from from where? to where? what port(s)?
>>>>>
>>>>>
>>>>>      
>>>>>           
>>>> This is the event log:
>>>>
>>>>
>>>> Description                Count        Last Occurence                
>>>>               Target                                        Source
>>>> IP Fragmented Packet     4      FRI JAN 19 14:23:49 2007      
>>>> me.athome.on.XP:26219  my.schools.name.server.Ithink:20375 LAN-side SYN 
>>>> Flood     1      FRI JAN 19 15:26:29 2007       some.atl.addr.31:80      
>>>>   me.athome.on.XP:1667
>>>> SYN Flood                      1      FRI JAN 19 15:26:29 2007      
>>>> me.athome.on.XP:1666      some.atl.addr.31:80
>>>> LAN-side SYN Flood     1      FRI JAN 19 17:13:27 2007      
>>>> different.schools.server.addr:80     me.athome.on.Debian:3744
>>>> SYN Flood                     1      FRI JAN 19 17:13:27 2007      
>>>> me.athome.on.Debian:3745     different.schools.server.addr:80
>>>> LAN-side SYN Flood     6      FRI JAN 19 17:13:42 2007      
>>>> different.schools.server.addr:80      me.athome.on.Debian:3753
>>>>
>>>>    
>>>>         
>>>>> etc.
>>>>>
>>>>> Jason
>>>>>
>>>>>
>>>>>
>>>>>      
>>>>>           
>>>> I had the XP and Debian boxes up originally, then when I noticed this 
>>>> going on, took the XP off the network and it jumped to the Debian box.
>>>>
>>>>
>>>> Today, its just 124 IP Fragmented Packets from my school's server to my 
>>>> XP box.
>>>>
>>>>
>>>> Thanks -
>>>>
>>>>
>>>> MG
>>>>
>>>>
>>>>    
>>>>         
>>>>> On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
>>>>>
>>>>>      
>>>>>           
>>>>>> Hello, all,
>>>>>>
>>>>>> I'm new here <waves> and just came across something fairly scary.   My  
>>>>>> home router shows  something  called an IP Fragmented Packet *from my 
>>>>>> school's DNS server*, then there's a series of LAN-side SYN Flood, then 
>>>>>> just plain SYN Flood, events to and from my [innocent, I swear!] 
>>>>>> router's IP to some address in Atlanta, back from Atlanta, then to a 
>>>>>> rival school's IP address here.
>>>>>>
>>>>>> My systems are XP and Debian 2.6 - when I shut down the XP, it jumped 
>>>>>> to the Debian.   Can anyone clue me into wth's going on?
>>>>>>
>>>>>> Many thanks -
>>>>>>
>>>>>> MG
>>>>>> -- 
>>>>>> TriLUG mailing list        : 
>>>>>> http://www.trilug.org/mailman/listinfo/trilug
>>>>>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>>>>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>>>>   
>>>>>>        
>>>>>>             
>>>>>      
>>>>>           
>>>> -- 
>>>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>>>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>>    
>>>>         
>>>  
>>>       
>> -- 
>> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>     
>
>   



More information about the TriLUG mailing list