republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Common Firewall False Positives
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
NTFS problam »
« Security Focus MS newsletter  
AuthorAll Replies


NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA

reply to NetWatchMan
Re: Common Firewall False Positives

Here's another great false positive example:

g) Source of probes is *Victim* of Spoofed DoS Attack

One or more attackers Syn-flood a victim web site, sending each TCP connect request with a different randomly spoofed IP address. The victim host sends a response (SYN/ACK) back to each of the spoofed IPs. If the DoS attack is over a long period of time, potentially millions of spoofed IPs may be sent a response packet. Users running firewalls on any of these IPs will log this response packet as a probe.

mNW 2542636 - livejournal.com DoS Attack

I spoke to the owner of the web site above and he confirmed that he indeed was has been under DoS attack in the last day or so.

The link above doesn't show it, but all these "probes" had a *source* TCP port = 80...showing these these were really response packets from the web server. Also notice, that the 4 sensors that picked up this activity all got hit within a VERY short time-frame (2.5 hours). That tells me that whoever was launching this DoS attack must have been generating a boat load of connect attempts at an extremely high rate!
--
Lawrence Baldwin
»www.myNetWatchman.com
Automatic Port Scan Reporting
to forum · permalink · · 2002-01-08 18:32:14 · Reply to this
Forums » Up and Running » Security » SecurityNTFS problam »
« Security Focus MS newsletter  

Wednesday, 02-Dec 11:03:33 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [159] Comcast Releasing Promised Usage Meter
· [70] Latest Consumer Reports Survey Not Kind To AT&T
· [69] Baltimore To Ban Lazy Cable Installs
· [60] Broadband Killed The Game Console
· [52] Rogers Unveils The ISP Dream Model
· [45] ACTA: Global Three Strikes
· [41] Rural Carriers Quickly Embracing Fiber
· [35] Charter Exits Chapter 11
· [33] AT&T Top Lobbyist Cicconi Has His Feelings Hurt
· [33] Graduate Student Unveils Sprint's GPS Sharing With Feds
Most people now reading
· Am I the only one that loves to work in IT? [No, I Will Not Fix Your #@$!! Computer]
· So I found a gold mine... [World of Warcraft]
· Data Usage Meter Launched [Comcast HSI]
· A little freaky, not sure if its legit. [Spam, Scam and Phishbusters]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· [Newsgroups] Newzleech down? [Filesharing Software]
· LFM Overkill [World of Warcraft]
· Windows 7 boot manager editing questions [Microsoft Help]
· UBB round 2 at the CRTC [Canadian Broadband]
· Quality/longevity of 15A 120V receptacles [Home Repair & Improvement]