[56984] in North American Network Operators' Group
RE: Syn Flood
daemon@ATHENA.MIT.EDU (Ron Harris)
Tue Mar 25 23:17:49 2003
From: "Ron Harris" <rharris@ewtechnology.com>
To: "'Christopher Bird'" <seabird@msn.com>, <nanog@merit.edu>
Date: Tue, 25 Mar 2003 21:12:38 -0700
In-Reply-To: <001301c2f34b$92555d80$3601a8c0@cb>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_003C_01C2F313.445ED8F0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I had success on several computers catching IRC Bots with SwatIT, which is
free.
http://www.lockdowncorp.com/
Ron
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of
Christopher Bird
Sent: Tuesday, March 25, 2003 8:56 PM
To: nanog@merit.edu
Subject: Syn Flood
I have a problem on a home PC of all things. Every once in a while it bursts
into life and syn floods an IP address on port 80. The IP addresses it
chooses are random and varied. The network counters ratchet up alarmingly
(as viewed in the connections window). I am running winXP Pro on this box.
I have zone alarm, an SMC Barricade firewall, and Norton anti virus.
I don't seem to be able to catch the computer at it, I just have the
evidence after the event. I don't like the anti social behavior that this is
exhibiting and am wondering if the collective wisdom of this group might
have any ideas how to track the issue down.
According to virus checkers, I am clean.
Thanks in advance
Chris Bird
------=_NextPart_000_003C_01C2F313.445ED8F0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 9">
<meta name=3DOriginator content=3D"Microsoft Word 9">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C2F313.43782270">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>0</w:Zoom>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin-top:6.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
h1
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:.3in;
text-indent:-.3in;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:1;
font-size:16.0pt;
font-family:"Times New Roman";}
h2
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:.4in;
text-indent:-.4in;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:2;
font-size:14.0pt;
font-family:"Times New Roman";
font-style:italic;}
h3
{margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:.5in;
text-indent:-.5in;
mso-pagination:widow-orphan;
page-break-after:avoid;
mso-outline-level:3;
font-size:12.0pt;
font-family:"Times New Roman";}
p.MsoCaption, li.MsoCaption, div.MsoCaption
{margin-top:6.0pt;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin-top:6.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.titlepage, li.titlepage, div.titlepage
{mso-style-name:titlepage;
margin-top:4.5in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:24.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.titlepagecxspfirst, li.titlepagecxspfirst, div.titlepagecxspfirst
{mso-style-name:titlepagecxspfirst;
margin-top:4.5in;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
text-align:center;
mso-pagination:widow-orphan;
font-size:24.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.titlepagecxspmiddle, li.titlepagecxspmiddle, div.titlepagecxspmiddle
{mso-style-name:titlepagecxspmiddle;
margin:0in;
margin-bottom:.0001pt;
text-align:center;
mso-pagination:widow-orphan;
font-size:24.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.titlepagecxsplast, li.titlepagecxsplast, div.titlepagecxsplast
{mso-style-name:titlepagecxsplast;
margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:24.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.frontsub, li.frontsub, div.frontsub
{mso-style-name:frontsub;
margin-top:6.0pt;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:20.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.frontsubcxspfirst, li.frontsubcxspfirst, div.frontsubcxspfirst
{mso-style-name:frontsubcxspfirst;
margin-top:6.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
text-align:center;
mso-pagination:widow-orphan;
font-size:20.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.frontsubcxspmiddle, li.frontsubcxspmiddle, div.frontsubcxspmiddle
{mso-style-name:frontsubcxspmiddle;
margin:0in;
margin-bottom:.0001pt;
text-align:center;
mso-pagination:widow-orphan;
font-size:20.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.frontsubcxsplast, li.frontsubcxsplast, div.frontsubcxsplast
{mso-style-name:frontsubcxsplast;
margin-top:0in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:20.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.preface, li.preface, div.preface
{mso-style-name:preface;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-before:always;
mso-pagination:widow-orphan;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
p.titlepage0, li.titlepage0, div.titlepage0
{mso-style-name:titlepage0;
margin-top:4.5in;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:24.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.frontsub0, li.frontsub0, div.frontsub0
{mso-style-name:frontsub0;
margin-top:6.0pt;
margin-right:0in;
margin-bottom:6.0pt;
margin-left:0in;
text-align:center;
mso-pagination:widow-orphan;
font-size:20.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
p.preface0, li.preface0, div.preface0
{mso-style-name:preface0;
margin-top:12.0pt;
margin-right:0in;
margin-bottom:3.0pt;
margin-left:0in;
page-break-before:always;
mso-pagination:widow-orphan;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";
font-weight:bold;}
span.emailstyle21
{mso-style-name:emailstyle21;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
span.emailstyle31
{mso-style-name:emailstyle31;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
span.EmailStyle32
{mso-style-type:personal-reply;
mso-ansi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><span class=3DEmailStyle32><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>I =
had
success on several computers catching IRC Bots with SwatIT, which is =
free.<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle32><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle32><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><a=
href=3D"http://www.lockdowncorp.com/">http://www.lockdowncorp.com/</a><o:=
p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle32><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle32><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>Ro=
n<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle32><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;color:black'>-----Original
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> =
owner-nanog@merit.edu
[mailto:owner-nanog@merit.edu]<b><span style=3D'font-weight:bold'>On =
Behalf Of </span></b>Christopher
Bird<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, March 25, =
2003 8:56
PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> nanog@merit.edu<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Syn =
Flood</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><![if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'> </span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'>I have
a problem on a home PC of all things. Every once in a while it bursts =
into life
and syn floods an IP address on port 80. The IP addresses it chooses are =
random
and varied. The network counters ratchet up alarmingly (as viewed in the
connections window). I am running winXP Pro on this =
box.</span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'> </span></f=
ont><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'>I have
zone alarm, an SMC Barricade firewall, and Norton anti virus. =
</span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'> </span></f=
ont><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'>I don’t
seem to be able to catch the computer at it, I just have the evidence =
after the
event. I don’t like the anti social behavior that this is =
exhibiting and am
wondering if the collective wisdom of this group might have any ideas =
how to
track the issue down.</span></font><font color=3Dblack><span =
style=3D'color:black;
mso-color-alt:windowtext'><o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'> </span></f=
ont><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'>According
to virus checkers, I am clean.</span></font><font color=3Dblack><span
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'> </span></f=
ont><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'>Thanks
in advance</span></font><font color=3Dblack><span =
style=3D'color:black;mso-color-alt:
windowtext'><o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'> </span></f=
ont><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:black'>Chris
Bird</span></font><font color=3Dblack><span =
style=3D'color:black;mso-color-alt:
windowtext'><o:p></o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_003C_01C2F313.445ED8F0--
