republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Common Firewall False Positives
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
NTFS problam »
« Security Focus MS newsletter  

NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA

Re: Common Firewall False Positives

Here's another great false positive example:

g) Source of probes is *Victim* of Spoofed DoS Attack

One or more attackers Syn-flood a victim web site, sending each TCP connect request with a different randomly spoofed IP address. The victim host sends a response (SYN/ACK) back to each of the spoofed IPs. If the DoS attack is over a long period of time, potentially millions of spoofed IPs may be sent a response packet. Users running firewalls on any of these IPs will log this response packet as a probe.

mNW 2542636 - livejournal.com DoS Attack

I spoke to the owner of the web site above and he confirmed that he indeed was has been under DoS attack in the last day or so.

The link above doesn't show it, but all these "probes" had a *source* TCP port = 80...showing these these were really response packets from the web server. Also notice, that the 4 sensors that picked up this activity all got hit within a VERY short time-frame (2.5 hours). That tells me that whoever was launching this DoS attack must have been generating a boat load of connect attempts at an extremely high rate!
--
Lawrence Baldwin
»www.myNetWatchman.com
Automatic Port Scan Reporting
permalink · 2002-01-08 18:32:14 · Print · Reply to this
Forums » Up and Running » Security » SecurityNTFS problam »
« Security Focus MS newsletter  

Wednesday, 09-Dec 01:40:39 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [193] Sprint Sued For Distracted Driving Death
· [81] 3G Network Test Says AT&T Is Tops
· [72] Mediacom Unveils 105 Mbps Pricing
· [62] Sprint Poised For A Turnaround?
· [50] The Future Of Wi-Fi Is Bright
· [49] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [47] Site Leaks Yahoo, Verizon Fed Data Share Pricing
· [44] Microwaving Your Innards Is Not 'Extreme'
· [39] Verizon LTE: 5-12 Mbps Downstream
· [20] AT&T Releases Network Reporting iPhone App
Most people now reading
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· Comcast refused to install 400' feet. [Comcast HSI]
· Man Downloads Child Porn "Accidentally," Faces 20 Years [Security]
· Maximizing Rogue DPS for 3.1 [World of Warcraft]
· Windows 7 boot manager editing questions [Microsoft Help]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· Tomato/MLPPP v3 alpha 6 released! [TekSavvy]
· Using DIR-615 C1/3.01 with Trendnet TEW-652BRP in N Mode [D-Link]
· SB6120 Firmware update [Comcast HSI]
· Microsoft Security Bulletin(s) for December 8, 2009 [Security]