Skip to main content

SYN question

More
15 years 1 month ago #32911 by kogula14
SYN question was created by kogula14
Hi,

I found out my client web page cannot be load as it shows "Connection Timed Out" error message. I suspected that maybe got SYN attack in that server. After i run the below command:-

[root@server1403 ~]# netstat -n | grep :80 | grep SYN |wc -l
157

My question is:-

When i check, one 1 Ip utilze 1 SYN. Is it really a SYN attack or not?
Or it is high load due to high users at one time, that is why can't open the web page??

Thanks
More
15 years 1 month ago #32919 by cooluswiz
Replied by cooluswiz on topic Syn Attack
Assuming that you know the three way handshake, is the web server in DMZ - Behind the firewall. Further take a trace on your firewall preferably on both interfaces (Inbound/Outbound) to eliminate the same.
More
15 years 1 month ago #32933 by kogula14
Replied by kogula14 on topic Re: SYN question
Hi,

I couldn't understand the thing that you mentioned (take a trace on your firewall preferably on both interfaces (Inbound/Outbound) to eliminate the same.)

Do you mean take traceroute or doing netstat??
More
15 years 1 month ago #32940 by S0lo
Replied by S0lo on topic Re: SYN question
kogula14, May be you've done this already but just in case,

Try this at the command prompt of the server:

netstat -n -p TCP

If you see a big list of connections with state: SYN_RECEIVED. Then this could indicate SYN attack.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
15 years 1 month ago #32943 by FishNBone
Replied by FishNBone on topic Re: SYN question
Hi all!

kogula14 i tried your command on windows vista cmd, mine got alot of 'ESTABLISHED' word in the status and one 'CLOSE_WAIT' and a 'SYN_SENT' what does all of these mean?

Thank you!
More
15 years 15 hours ago #33301 by kogula14
Replied by kogula14 on topic Re: SYN question
Hi,

Thanks for every1 help me...

support.microsoft.com/kb/137984
Time to create page: 0.135 seconds