[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQ4 - dmesg

Subject: Re: [cobalt-users] RaQ4 - dmesg
From: flash22@xxxxxxx
Date: Thu Jan 17 21:40:46 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Thu, 17 Jan 2002, Richard Sidlin wrote:

> I looked at dmesg on my live RaQ and wondered if the following, at the
> bottom of the report is a problem?

> possible SYN flooding on port 110. Sending cookies.

I guess it depends what you mean by 'problem' ;P
It's most likely an automated scanner looking for vulnerable pop3 servers,
it generared a SYN flood because it walked IP addresses in sequence very
fast, thinking they are different machines, but in fact they all go to
your machine so you saw a lot of connection opens happen very fast and the
kernel got upset...(SYN = TCPspeak for open connection ;)

Assuming you have been keeping your software up to date, it's not much
more than a minor annoyance....or a reminder that the kiddies are still
playing ;P

Chances are it's automated from some other machine that's compromised, but
be carefull about yelling at anyone, the IP's listed by the kernel in
response to SYN floods aren't totally reliable...

(The cookies are specially designed packets designed to place the burden
of opening a connection back on the sender, hopefully to make it behave
itself, or at least minimize the impact on the server)

gsh

References:
- [cobalt-users] RaQ4 - dmesg
  - From: Richard Sidlin

Prev by Date: [cobalt-users] Email problem - Possible CMU Import Problem - Period in username
Next by Date: RE: [cobalt-users] parseReport.pl and huge web.cache
Previous by thread: [cobalt-users] RaQ4 - dmesg
Next by thread: Re: [cobalt-users] RaQ4 - dmesg

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index