[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] syn_flood dos attack

Subject: Re: [cobalt-security] syn_flood dos attack
From: Nick Drage <nickd@xxxxxxxxx>
Date: Tue, 1 Jan 2002 16:27:55 +0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tue, Jan 01, 2002 at 01:29:54PM +0100, Nico Meijer wrote:
> >I'm having a issue on an old raq XTR (yes, the ones that have been 
> >recalled) with multiple ip addresses attacking port 80 on the server.

As has been pointed out elsewhere, do ensure that this is a genuine SYN
flood, rather than an annoyance.

If there isn't an absolute barrage of packets, it could be a broken
router, firewall or proxy server ( especially as its port 80 ) in the
way.  The broken device is sending the SYN to you, you're replying with
an ACK, which at some point is then incorrectly dropped or misrouted on
the way back; so you get a kind of gentle SYN flood effect.

-- 
Nick Drage - Security Architecture - Demon Internet
"A lonely voice
 Echoing through the wilderness
 Request Timed Out"

Follow-Ups:
- [cobalt-security] warning: can't get client address: Socket operation on non-socket
  - From: P Ferwerda

References:
- [cobalt-security] syn_flood dos attack
  - From: Jordan Lowe
- Re: [cobalt-security] syn_flood dos attack
  - From: Nico Meijer

Prev by Date: Re: [cobalt-security] syn_flood dos attack
Next by Date: [cobalt-security] Re: syn_flood dos attack (Nico Meijer)
Previous by thread: Re: [cobalt-security] syn_flood dos attack
Next by thread: [cobalt-security] warning: can't get client address: Socket operation on non-socket

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index