| reply to NetWatchMan
Re: Common Firewall False Positives Here's another great false positive example:
g) Source of probes is *Victim* of Spoofed DoS Attack
One or more attackers Syn-flood a victim web site, sending each TCP connect request with a different randomly spoofed IP address. The victim host sends a response (SYN/ACK) back to each of the spoofed IPs. If the DoS attack is over a long period of time, potentially millions of spoofed IPs may be sent a response packet. Users running firewalls on any of these IPs will log this response packet as a probe.
mNW 2542636 - livejournal.com DoS Attack
I spoke to the owner of the web site above and he confirmed that he indeed was has been under DoS attack in the last day or so.
The link above doesn't show it, but all these "probes" had a *source* TCP port = 80...showing these these were really response packets from the web server. Also notice, that the 4 sensors that picked up this activity all got hit within a VERY short time-frame (2.5 hours). That tells me that whoever was launching this DoS attack must have been generating a boat load of connect attempts at an extremely high rate!
--
Lawrence Baldwin
»www.myNetWatchman.com
Automatic Port Scan Reporting |
