[Courses] [Security] knock knock?

Dave North dave at timocharis.com
Wed May 1 18:16:30 EST 2002


> That sounds great -- have at it, and I'll come up with another
> scenario for us to pit our collective wits against too.

How about if I drop one in real quick?
	I have what appears to be maybe a SYN flood addict leeching on to
my server. The netstat goodies look like this:

tcp    0    0 moon.timochari:www-http 62.13.43.60:8192    SYN_RECV

Syncookie protection is enabled, the ttl turned down, so I never see more
than three of these from any one leech at any time. But they will persist
for hours, sometimes through to the next day.
	Nothing shows up in http logs, and denying http service to those
IPs in httpd.config does no good (I assume it's an ip spoof of some sort?)
	Any idea what this goon is up to, how to find out who's doing it,
or any other fun things to know?


d




More information about the Courses mailing list