LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-25-2004, 12:24 PM   #1
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Rep: Reputation: 46
Syn Flood Attack Detect


i got a bunch of messages from my router this morning about a syn flood attack. the messages look like this:
Code:
Jul/24/2004 21:15:22
 SYN Flood Attack Detect   Packet Dropped
Jul/24/2004 21:15:22
 SMTP: send mail succeed   
Jul/24/2004 21:15:16
 SYN Flood Attack Detect   Packet Dropped
Jul/24/2004 21:15:15
 SMTP: send mail succeed   
Jul/24/2004 21:15:12
 SYN Flood Attack Detect   Packet Dropped
Jul/24/2004 21:15:12
 SMTP: send mail succeed  
Jul/24/2004 21:15:09
etc., about 4x that amount per message, in 12 separate messages.

so what happened? my webserver is running fine and there are no signs of cracking that i can see (log checks, chkrootkit, disk space/memory are fine, etc.) was it a successful DoS attack that i just didn't notice because i didn't happen to be trying to access the website during the attack?

from what i understand doing some research this morning, it's almost impossible to defend against a syn flood attack. i guess it was either random, or maybe some windows j3rk0ff on a forum where i was advocating linux deciding they were going to "teach me a lesson." should i cycle my modem and/or router and change the IP? the packet dropped seems like it was detected and averted, but i'm unclear about what the "send mail succeed" part means.

thx
 
Old 07-25-2004, 01:31 PM   #2
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Ubuntu, Debian, SuSE, UnSlung, Android
Posts: 1,819

Rep: Reputation: 46
The "Send mail succeeded" is likely the routers programmed response to attack detection. Check the documentation for the router to direct the email at an actual address, if you have not already done so.

It wouldn't hurt to reset your router and obtain a new ip. It may also be a false positive, caused by a sweeping port scan or something similar.

Last edited by Pcghost; 07-25-2004 at 01:32 PM.
 
Old 07-25-2004, 01:48 PM   #3
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
as i recall syn floods can be minimized by a kernel option "sync cookies" if i remember right
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
"syn flood attack" How do I investigate this? oily_rags Suse/Novell 2 04-28-2005 09:29 PM
SYN flood 98steve600 Linux - General 1 03-28-2005 03:27 AM
SYN flood with Game Empowerer Linux - Networking 3 07-25-2004 04:36 PM
protection from SYN flood attacks chenkoforever Linux - Security 4 06-22-2004 05:38 PM
Can't SYN Flood a Linux jveron23 Linux - Security 3 10-06-2003 11:27 AM


All times are GMT -5. The time now is 08:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration