Heya --

> Today the server was reported to have made a SYN attack against some
> network at a college.  A few days ago a man emailed me complaining 
> that the server was probing port 53 on his computer.  The box has 1 
> static IP and isn't a gateway, so no other computers are permitted to

> use its IP address.

     First of all, check out http://www.cert.org/faq/cert_faq.html#B1
-- it will help you determine whether or not you actually have been
hacked.  Also, ask the guy complaining that you were "scanning" port 53
on his computer if he's running Black Ice Defender in Paranoid mode.  
Black Ice Defender is a popular firewall for Windows, and its Paranoid
mode has been known to report DNS replies as port-scanning.  (DNS is on
port 53.)  Worth checking into.

     The SYN attack is more troubling.  Make sure you're not allowing
ip redirects (in your firewall) or directed broadcasts (part of
multicast) that would allow your computer to be used as a springboard
by a hacker engaged in a DDoS attack.  If your computer is set up to
allow either of these behaviours, you don't have to have been hacked to
have sent a SYN flood.  It could have come from Joe Random on the
Internet, and was merrily passed along by your server as one of the
"services" it was offering.  Usually boxes that are targeted for this
sort of thing are sitting on high-bandwidth lines that the hacker can
use to flood the target completely.  Is this you?


"And baby, when we're load-balancing coast to coast,
 I'll route your packets, if you'll switch my host."
 -- the Technology Torch Song, by the deeply disturbed Crayola

Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

techtalk mailing list

Reply via email to