SYN flood

SYN flood

Post by Robert Montgomer » Sat, 12 Jun 1999 04:00:00



Can someone quickly explain SYN Flood messages?
I've randomly seen these type of messages in the past:

 kernel: Warning: possible SYN flood from 129.142.16.3 on
24.66.194.248:111.  Sending cookies.

What is my Danish friend doing here?   The 111 port is (I think)
reserved for NFS/NIS service,  so is this some type of vulnerability
scan?  Is there any security steps  to take for this?

Thanks,
Rob

 
 
 

SYN flood

Post by David Mean » Sat, 12 Jun 1999 04:00:00



Quote:> Can someone quickly explain SYN Flood messages?
> I've randomly seen these type of messages in the past:

>  kernel: Warning: possible SYN flood from 129.142.16.3 on
> 24.66.194.248:111.  Sending cookies.

> What is my Danish friend doing here?   The 111 port is (I think)
> reserved for NFS/NIS service,  so is this some type of vulnerability
> scan?  Is there any security steps  to take for this?

  Whatever the reason for this flood (probably to see if they can take
advantage of some (old) bugs in portmap, you can effectively kill it
by rejecting packets that arrive on your external interface for port 111.
(I assume that you only want NFS/NIS traffic to flow internally, and that
you have at least two interfaces on this box.)

 
 
 

SYN flood

Post by Robert Montgomer » Sun, 13 Jun 1999 04:00:00





> > Can someone quickly explain SYN Flood messages?
> > I've randomly seen these type of messages in the past:

> >  kernel: Warning: possible SYN flood from 129.142.16.3 on
> > 24.66.194.248:111.  Sending cookies.

> > What is my Danish friend doing here?   The 111 port is (I think)
> > reserved for NFS/NIS service,  so is this some type of vulnerability
> > scan?  Is there any security steps  to take for this?
>   Whatever the reason for this flood (probably to see if they can take
> advantage of some (old) bugs in portmap, you can effectively kill it
> by rejecting packets that arrive on your external interface for port 111.
> (I assume that you only want NFS/NIS traffic to flow internally, and that
> you have at least two interfaces on this box.)

Actually, I dont even run NFS or NIS and I only have the one
interface.   How does one reject externally arriving packets on
a particular port?  If I can do that, I guess I would reject packets
on all ports except maybe these:

ftp = 20, 21
ssh = 22
telnet  = 23
smtp = 25
dhcpc = 67
pop = 109,110
nntp = 119

Wouldnt that be a good idea?

Thanks,
Rob

 
 
 

SYN flood

Post by Mike Dowli » Mon, 14 Jun 1999 04:00:00



>  Whatever the reason for this flood (probably to see if they can take
>advantage of some (old) bugs in portmap, you can effectively kill it
>by rejecting packets that arrive on your external interface for port 111.

Does anybody know which version of protmap is safe?

Cheers,
  Mike Dowling

--

It is, in fact, a sendmail alias; the digit 'N' is incremented regularly.
Spammed aliases will be deleted.  Currently, mike[5,7-9,12,13,16] have been
deleted.  If email to mikeN bounces, try mikeN+1.

 
 
 

SYN flood

Post by Bob Kematic » Mon, 14 Jun 1999 04:00:00



> Actually, I dont even run NFS or NIS and I only have the one
> interface.   How does one reject externally arriving packets on
> a particular port?

ipfwadm (2.0.x kernels) or ipchains (2.2.x kernels)
 
 
 

1. Sendmail's resistance to SYN Flood using SYN filter?

I've recently installed Alan Cox's TCP patch for Linux (AKA SYN Bomb
filter), and I've increased the listen queue (in daemon.c, ListenQueueSize)
to 512, per the patch's instructions.  (As an aside, the patch is really
impressive.)

Anyways, inetd and (Apache) httpd are highly resistant to a SYN flood
now, but sendmail seems a bit picky:  During a flood attack, sendmail
will refuse the connection for four or five attempts before I can get
through.  (inetd and httpd allow connections on the first try, almost 100%
of the time).

Has anyone else experienced this, or are there some other parameters that
I could try tuning?

--

  Greg       http://world.std.com/~loki       | 0B 65 E0 58 F3 F9 81 F5 |
              Interested in Jai-Alai?         | F0 72 75 FA 1E BD C9 66 |

2. Lilo Large IDE drive

3. SYN Flood or SYN Attack

4. QLogic ISP1020 + SCSI-3 HD Problem

5. syn floods

6. s3-864 and too _many_ colors

7. SYN Flooding Security Vulnerability in HP-UX

8. win98, winNT, Linux

9. SYN flood question

10. how to turn on SYN flood protection?

11. SYN Flooding

12. TCP/SYN flood, what are proposed solutions?

13. Syn flooding