syn flood, tcpdump readings

David DeSimone fox at verio.net
Thu Aug 7 17:32:33 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Huppi <tomh at huppi.com> wrote:
>
> Anyway, I am getting what I believe to be syn floods
> periodically.  They dwarf my production traffic and sometimes
> get close to producing as much bandwith as we are paying for.  A
> representative sample looks like so when viewed with tcpdump on
> my outward interface ('em1'):
> 
> 21:36:53.870312 IP 125.21.176.19.x11 > 74.123.192.195.domain: S 27394048:27394048(0) win 16384
> 21:36:53.870319 IP 125.21.176.19.x11 > 74.123.192.204.domain: S 1793916928:1793916928(0) win 16384

Since you went to the trouble of obscuring the source IP, I presume that
the source IP is your IP.  So, these look like responses, i.e. outbound
traffic, not inbound, since they are sourced from your IP.  You can use
tcpdump's -e flag to be sure who is sending and who is receiving.

- -- 
David DeSimone == Network Admin == fox at verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFImzGpFSrKRjX5eCoRAmQWAJ42P3j3LgD9gE5aqIs+A9ytFAzUgACeLU1g
0F9BDmubpLI37Bz/OKW420Y=
=Nm7c
-----END PGP SIGNATURE-----


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.


More information about the freebsd-pf mailing list