Results 1 to 3 of 3
-
Kimi's alter-ego
- Join Date
- Jul 2006
- Posts
- 1,731
February 27th, 2007 11:57 PM #1Minsan I experience using PLDT DSL wherein all lights of the modem & router are blinking pero hindi naman ako nakaka-surf... 1st suspect ko is may naghaha-hack or may DoS attack which usually happens... gusto ko lang po malaman ano ibig sabihin nitong mga message ng router ko... (Thank God at may Hardware Protection)
2006-10-15 22:48:24 **SYN Flood to Host** 88.19.51.35, 17498->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2006-10-15 22:48:24 **SYN Flood to Host** 129.252.91.142, 4174->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2007-02-27 22:59:31 **SYN Flood (per Min)** 75.153.215.194, 2899->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2007-02-27 23:00:22 **SYN Flood** 86.83.55.80, 54312->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2007-02-27 23:00:23 **UDP Flood (per Min) Stop** (from PPPoE1 Inbound)
Hindi ko na pinaste lahat baka kasi sabihin flooding din ako... I use an SMC Router and I think eto ang isa sa kanilang mga product differentiators sa router nila... You may know if there is a security breach or threat.
Hopefully you can explain what type of DoS or hacking is this????
-
Tsikoteer
- Join Date
- Jan 2006
- Posts
- 12,347
February 28th, 2007 07:07 AM #2It looks like a DoS attack. As to what kind..... don't know. Using fake IP's perhaps to fool and saturate the server? Never been victim of one yet......
Originally Posted by mikmik316
Minsan I experience using PLDT DSL wherein all lights of the modem & router are blinking pero hindi naman ako nakaka-surf... 1st suspect ko is may naghaha-hack or may DoS attack which usually happens... gusto ko lang po malaman ano ibig sabihin nitong mga message ng router ko... (Thank God at may Hardware Protection)
2006-10-15 22:48:24 **SYN Flood to Host** 88.19.51.35, 17498->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2006-10-15 22:48:24 **SYN Flood to Host** 129.252.91.142, 4174->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2007-02-27 22:59:31 **SYN Flood (per Min)** 75.153.215.194, 2899->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2007-02-27 23:00:22 **SYN Flood** 86.83.55.80, 54312->> 58.69.7.45, 29094 (from PPPoE1 Inbound)
2007-02-27 23:00:23 **UDP Flood (per Min) Stop** (from PPPoE1 Inbound)
Hindi ko na pinaste lahat baka kasi sabihin flooding din ako... I use an SMC Router and I think eto ang isa sa kanilang mga product differentiators sa router nila... You may know if there is a security breach or threat.
Hopefully you can explain what type of DoS or hacking is this????
SYN Flood is a clue.....
-
Tsikot Member Rank 5
- Join Date
- May 2006
- Posts
- 8,357
February 28th, 2007 07:32 AM #3The SYN flood attack sends TCP connections requests faster than a machine can process them.
* attacker creates a random source address for each packet
* SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
* victim responds to spoofed IP address, then waits for confirmation that never arrives (waits about 3 minutes)
* victim's connection table fills up waiting for replies
* after table fills up, all new connections are ignored
* legitimate users are ignored as well, and cannot access the server
* once attacker stops flooding server, it usually goes back to normal state (SYN floods rarely crash servers)
* newer operating systems manage resources better, making it more difficult to overflow tables, but still are vulnerable
* SYN flood can be used as part of other attacks, such as disabling one side of a connection in TCP hijacking, or by preventing authentication or logging between servers.
Defensive techniques:
micro blocks
Instead of allocating a complete connection object (which causes the memory failure), simply allocate a micro-record. Newer implementations allocate as little as 16-bytes for the incoming SYN object.
SYN cookies
Instead of allocating a record, send a SYN-ACK with a carefully constructed seqno generated as a hash of the clients IP address, port number, and other information. When the client responds with a normal ACK, that special seqno will be included, which the server then verifies. Thus, the server first allocates memory on the third packet of the handshake, not the first. However, the cryptographic hashing used in SYN cookies is fairly expensive, so servers that expect lots of incoming connections may choose not to use it. (Conversely, newer TCP stacks need to implement secure sequence numbers anyway in order to avoid TCP seqno prediction, so this is not necessarily a problem).
RST cookies
An alternative to SYN cookies, but may cause problems with Win95 machines and/or machines behind firewalls. The way this works is that the server sends a wrong SYNACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.
stack tweaking
TCP stacks can be tweaked in order to reduce the effect of SYN floods. The most common example is to reduce the timeout before a stack frees up the memory allocated for a connection. Another technique would be to selectively drop incoming connections.
Reply With Quote
Originally Posted by mikmik316
3M Color Stable series are all above 50% TSER. RFID readable through the tint, stays good for...
What's the best car tint brand and color?