Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-25-2004, 12:24 PM   #1
Senior Member
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Rep: Reputation: 47
Syn Flood Attack Detect

i got a bunch of messages from my router this morning about a syn flood attack. the messages look like this:
Jul/24/2004 21:15:22
 SYN Flood Attack Detect   Packet Dropped
Jul/24/2004 21:15:22
 SMTP: send mail succeed   
Jul/24/2004 21:15:16
 SYN Flood Attack Detect   Packet Dropped
Jul/24/2004 21:15:15
 SMTP: send mail succeed   
Jul/24/2004 21:15:12
 SYN Flood Attack Detect   Packet Dropped
Jul/24/2004 21:15:12
 SMTP: send mail succeed  
Jul/24/2004 21:15:09
etc., about 4x that amount per message, in 12 separate messages.

so what happened? my webserver is running fine and there are no signs of cracking that i can see (log checks, chkrootkit, disk space/memory are fine, etc.) was it a successful DoS attack that i just didn't notice because i didn't happen to be trying to access the website during the attack?

from what i understand doing some research this morning, it's almost impossible to defend against a syn flood attack. i guess it was either random, or maybe some windows j3rk0ff on a forum where i was advocating linux deciding they were going to "teach me a lesson." should i cycle my modem and/or router and change the IP? the packet dropped seems like it was detected and averted, but i'm unclear about what the "send mail succeed" part means.

Old 07-25-2004, 01:31 PM   #2
Senior Member
Registered: Feb 2003
Location: The Real Washington
Distribution: Debian, Android
Posts: 1,819

Rep: Reputation: 46
The "Send mail succeeded" is likely the routers programmed response to attack detection. Check the documentation for the router to direct the email at an actual address, if you have not already done so.

It wouldn't hurt to reset your router and obtain a new ip. It may also be a false positive, caused by a sweeping port scan or something similar.

Last edited by Pcghost; 07-25-2004 at 01:32 PM.
Old 07-25-2004, 01:48 PM   #3
Senior Member
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
as i recall syn floods can be minimized by a kernel option "sync cookies" if i remember right


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
"syn flood attack" How do I investigate this? oily_rags SUSE / openSUSE 2 04-28-2005 09:29 PM
SYN flood 98steve600 Linux - General 1 03-28-2005 03:27 AM
SYN flood with Game Empowerer Linux - Networking 3 07-25-2004 04:36 PM
protection from SYN flood attacks chenkoforever Linux - Security 4 06-22-2004 05:38 PM
Can't SYN Flood a Linux jveron23 Linux - Security 3 10-06-2003 11:27 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:28 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration