At 12:21 PM 5/24/2002, Kyle R. Hofmann wrote: >I've seen similar behavior from a misbehaving Linux 2.2.19 system. I don't >know what triggered it, but it began trying to reset connections that weren't >there: > >05:41:44.057978 xxx.62174 > yyy.zz: R 1060312:1060312(0) win 0 >05:42:38.212257 xxx.62175 > yyy.zz: R 1060356:1060356(0) win 0 >05:53:50.091303 xxx.62176 > yyy.zz: R 1060312:1060312(0) win 0 [Snip] Resetting connections which are not there is frequently a symptom of SYN flooding by someone who's spoofing your source address. We see this sort of "backscatter" frequently. A stateful firewall can help by blocking SYN-ACKs and ACKs when an outbound SYN was never sent. --Brett Glass ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 14:21:50 PDT