George Theall on 14 Feb 2004 00:35:03 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SYN attacks?


On Fri, Feb 13, 2004 at 05:38:04PM -0500, Kevin Brosius wrote:

> Here's a general question about network attacks.  I noticed yesterday
> that I was receiving heavy network traffic, enough to flood my firewall
> and take me off the net.  After a little investigation, I find that I am
> receiving a huge amount of TCP traffic from a single net address. 
> (sc-f100-01.extremenetworks.com - 63.251.106.30 in case anyone has
> suggestions about reporting this) 

DShield.org has 100+ records of abuse from that host in the past 2 weeks
- <http://www.dshield.org/ipinfo.php?ip=63.251.106.30&Submit=Submit>. 
According to that page, abuse reports should be sent to
abuse@internap.com. 

> I let it go for about an hour, then
> started dropping all network traffic from that IP.  

What are the characteristics of this traffic?  Which ports are targetted?
Are these purely SYNs, as the subject suggests? If so, are you operating
any sort of service that's publically available, like a web server?


George
-- 
theall@tifaware.com

Attachment: pgpLPkdnGuLBd.pgp
Description: PGP signature