Results 1 to 6 of 6

Thread: External firewall log shows "syn flood TCP (L to W)"

  1. #1
    riceorony Guest

    Default External firewall log shows "syn flood TCP (L to W)"

    Hello all,

    I was just curiously checking my external firewall logs and saw that a bunch of logs (~100) showing "syn flood TCP (L to W)" with the source-IP coming from the assigned IP given by the router to my computer (192.168.167.xxx) with different ports and the destination being some social-website similar to myspace with the port ending in :443.

    I used ip-lookup.net and found it going to a social-networking site similar to myspace. My friends sometime use the computer obviously for homework and I allow them to update their pages while browsing in "Private Browsing" in case they stumble upon malicious drive-by downloads. However, I have totally forbidden any downloads of any sort (no file-sharing, etc.).

    The outbound "attacks" stopped (according to the time-logs) after they stopped using the social-website and I cleared virtual data.

    What is happening? Am I bot-infected?

    From what I gather via reading about what is a "syn flood." It is basically the beginning of a DoS attack (denial of service) whereby your computer sends a Syn-packet to another server. The server replies with a Syn-Ack packet to acknowledge the receivement of the packet. Yet your computer does not respond with an Ack-packet to complete the connection (either maliciously or simply delay in connections.

    The other alternatives I gathered from this is simply the connection was severed/dropped/timed-out prior to this computer sending the Ack packet; thereby the external firewall registered it as being an attack due to the repetitions?

    I was watching them and all web browsing was done using ZA Forcefield in Private Browsing mode (with protection always active).

    ZoneAlarm ISS logs show nothing during the ~30-40minutes that those events occurred.

    Message Edited by riceorony on 07-22-2008 09:09 AM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: External firewall log shows "syn flood TCP (L to W)"

    If the connections originated from you, then are you saying you were doing the DoS?

    Any ICMP connections at that time and what are they?
    What are the exact Flags all shown?
    Any other details?

    Good chance the signin (https TCP port 443) of the web site was not working and the the signin button was repeatedly hit and then got frustrated and finally quit.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    riceorony Guest

    Default Re: External firewall log shows "syn flood TCP (L to W)"

    Oldsod,

    I was saying that my computer was doing a "Syn Flood" attack, which i guess is the beginning of a DoS attack, which is strange indeed.

    No ICMP connections at the time, no flags shown by Zonealarm ISS or any other security program on my computer. All was functioning well like normal (same boot-up time and shut-down time).

    The only reason I even spotted it is because I randomly check my external firewall.

    I am pretty much liking the explanation you gave on the signin (https TCP port 443), because that is the only feasible answer to the issue. No such problem ever occurred since (then again I dont let them social-network anymore on my computer after reading the dangers)

    Thanks for your keen analysis.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: External firewall log shows "syn flood TCP (L to W)"

    Some servers are setup to drop continued syn connections attempts from the same IP. Some are a little more touchier than others, for the obvious reasons.
    But usually after a predetermined number of attempts, the server will drop any ofthe further connection attempts and from then on ignore the IP(s) for a predetermined length of time.
    A little bit of DoS protection for the servers.
    OLdsod.
    Best regards.
    oldsod

  5. #5
    federicomilner Guest

    Default Re: External firewall log shows "syn flood TCP (L to W)"

    Really you need a nice http://gigabitdc.com protection from ddos company that is ready to do traffic filtering to disable a DDoS attack in the event you have one.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: External firewall log shows "syn flood TCP (L to W)"


    <blockquote><hr>FedericoMilner wrote:
    Really you need a nice http://gigabitdc.com protection from ddos company that is ready to do traffic filtering to disable a DDoS attack in the event you have one.
    <hr></blockquote>


    Kind of geared towards the enterprise market/we sites and not really a home user.
    Easiest method to get rid of ddos attack on a home user (which is very very seldom) is simply change their IP. Once they have a new IP assigned by the provider, they have then become invisible to the attacker(s).

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •