syn flood, tcpdump readings

Tom Huppi tomh at
Thu Aug 7 18:00:56 UTC 2008

On 12:32 Thu 07 Aug     , David DeSimone wrote:
> Hash: SHA1
> Tom Huppi <tomh at> wrote:
> >
> > Anyway, I am getting what I believe to be syn floods
> > periodically.  They dwarf my production traffic and sometimes
> > get close to producing as much bandwith as we are paying for.  A
> > representative sample looks like so when viewed with tcpdump on
> > my outward interface ('em1'):
> > 
> > 21:36:53.870312 IP > S 27394048:27394048(0) win 16384
> > 21:36:53.870319 IP > S 1793916928:1793916928(0) win 16384
> Since you went to the trouble of obscuring the source IP, I presume that
> the source IP is your IP.  So, these look like responses, i.e. outbound
> traffic, not inbound, since they are sourced from your IP.  You can use
> tcpdump's -e flag to be sure who is sending and who is receiving.

I obscured my own IP range which is the 74.nnn.nnn. one and it
is a /24.  Interestingly most of the IP's on my side are ones
where I have no host.

The reason why is that I figured that if I myself were a
semi-sophisticated cracker, I would look for targets of
opertunity on the various mailing lists where one could identify
both networks administered by newbie/part-time personel, and
often a fair amount about the configuration of said :)

The IP '' is exactly as it appeared on my tcpdump.
It shows as a telcom company in India in this case...usually
it's some network company or another in China.

My network looks like so:

                                -------------  em0  <---> internal range
  Network Provider  <----> em1 | pf firewall |
  (Internap)                    -------------  bce1 <---> dmz range

I took the tcpdump output to indicate that Syn packets showing an Indian Origin were showing up addressed to (mainly non-existant) IP addresses within my /24 network.

I'll look at 'tcpdump -e'.  Thanks for the hint!

 - Tom

> - -- 
> David DeSimone == Network Admin == fox at
>   "I don't like spinach, and I'm glad I don't, because if I
>    liked it I'd eat it, and I just hate it." -- Clarence Darrow
> Version: GnuPG v1.4.1 (GNU/Linux)
> iD8DBQFImzGpFSrKRjX5eCoRAmQWAJ42P3j3LgD9gE5aqIs+A9ytFAzUgACeLU1g
> 0F9BDmubpLI37Bz/OKW420Y=
> =Nm7c
> This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.
> _______________________________________________
> freebsd-pf at mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at"


More information about the freebsd-pf mailing list