syn flood, tcpdump readings

David DeSimone fox at
Thu Aug 7 17:32:33 UTC 2008

Hash: SHA1

Tom Huppi <tomh at> wrote:
> Anyway, I am getting what I believe to be syn floods
> periodically.  They dwarf my production traffic and sometimes
> get close to producing as much bandwith as we are paying for.  A
> representative sample looks like so when viewed with tcpdump on
> my outward interface ('em1'):
> 21:36:53.870312 IP > S 27394048:27394048(0) win 16384
> 21:36:53.870319 IP > S 1793916928:1793916928(0) win 16384

Since you went to the trouble of obscuring the source IP, I presume that
the source IP is your IP.  So, these look like responses, i.e. outbound
traffic, not inbound, since they are sourced from your IP.  You can use
tcpdump's -e flag to be sure who is sending and who is receiving.

- -- 
David DeSimone == Network Admin == fox at
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow
Version: GnuPG v1.4.1 (GNU/Linux)


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.

More information about the freebsd-pf mailing list