CRIME Half-Open Syn

From: Buelna, Derek (derek.buelna@private)
Date: Mon Mar 01 2004 - 16:26:16 PST

Next message: Jason Chan: "RE: CRIME Half-Open Syn"

Previous message: Joe St Sauver: "Re: CRIME Citibank e-mail scam"
Next in thread: Jason Chan: "RE: CRIME Half-Open Syn"
Reply: Jason Chan: "RE: CRIME Half-Open Syn"
Reply: toby: "Re: CRIME Half-Open Syn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm curious if any of you commonly see IDS events related to a half-open syn connections? 
The description of the signature I'm hitting is as follows: Triggers when multiple TCP sessions have been improperly initiated on any of several well known service ports. Detection of this signature is currently limited to FTP, Telnet, WWW, SSH and E-mail servers (TCP ports 21, 23, 80, 22 and 25 respectively). This is indicative that a denial of service attack against your network may be in progress. 
I seem to be seeing alot of windows stuff as tcp dst ports 445 and 139 show up alot. I also see tcp dst port 25, smtp.
Your feedback would be appreciated,

Derek A. Buelna, CISSP, CCIE
Information Security
XEROX Office Group

Next message: Jason Chan: "RE: CRIME Half-Open Syn"
Previous message: Joe St Sauver: "Re: CRIME Citibank e-mail scam"
Next in thread: Jason Chan: "RE: CRIME Half-Open Syn"
Reply: Jason Chan: "RE: CRIME Half-Open Syn"
Reply: toby: "Re: CRIME Half-Open Syn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 17:10:30 PST