-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 1 Jun 2007, Martijn Lievaart wrote:
Ric Messier wrote:
Bgs writes:
Some more info about the attack: All IPs were real IPs otherway the tcp
handshake wouldn't have made it. The attacker IPs were also consistent.
They also new about the blocked IPs as after a new bunch of blocked IPs
we fared OK then they added another bunch new IPs... we played this for
quite some time...
All connections were in the ESTABLISHED state.
Then your original description was incorrect or at least inadequate. It has
nothing to do with SYN as originally suggested since an ESTABLISHED
connection has blown past SYN, through SYN/ACK and by ACK. It has completed
the TCP handshake, as you note above. A SYN attack/flood would stop after
sending the initial SYN and leave the connection half-open to exhaust the
half-open buffers.
An connection is in the ESTABLISHED state once a packet has been seen. So
once the SYN is seen, the state is ESTABLISHED.
No, it is in state "new" with a mere syn sent.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFGeB7/st+vzJSwZikRAmbnAKDPbPVQcBsCzAkmoETaYT61EHVOAgCgwl0P
gTWFY+m1/+x1np1D7Rr1ulA=
=Eq4t
-----END PGP SIGNATURE-----
