|
Question : syn flood attack
|
|
Hi there, can anybody interpret the following line for me? I understand it has to do with a syn flood attack to my server, but I want to know more about it.
/02/2005 14:44:30 **SYN Flood to Host** 192.168.2.105, 3230->> 207.44.208.7, 80 (from PPPoE Outbound)
I would also like to know if its possible to know from this info if the router is blocking the attack or not
tnx
|
Answer : syn flood attack
|
|
Hi,
"192.168.2.105, 3230"
IP Address of local device where the SYN Flood Host is happening 3230 is the port number used.
Port 3230:
Polycom ViaVideo H.323 (3230-3235) (TCP/UDP)
"207.44.208.7, 80"
This is a public IP Address that is using port 80 ---> HTTP (TCP/UDP)
The IP Address belongs to mail.todomexico.com ---> Do you know who this is?
A SYN flood is a type of DoS (Denial of Service) attack.
When you establish a TCP connection a three-way hand shake is performed,
the originator sends a SYN, the receiver sends a SYN-ACK, and then there
is another ACK in response to acknowledge the SYN-ACK (if I remember
correctly).
The attack works by sending lots of SYNs to the remote host without doing
any ACK, the remote host has to wait a period of time for the ACK before
giving up and discarding the SYN. So, if you send lots of SYNs you can
fill out the resource table/buffers of the receiving host until it can't
accept any more connections. I expect because the connection is never
completed you can easy forge and randomise the source of the SYNs as well.
I suspect you made a lot of genuine connections, but maybe a high number
in a short time frame so your router is flagging a high rate of SYNs in
genuine TCP connections.
> How can I rectify the NTP time thing?
Router probably needs the IP address of an NTP time server that it
can sync with, see if your ISP provides one, or check out the list at
www.ntp.org for a stratum 2 time server that you can use.
|
|
|
|
|
