My friend was getting this yesterday and he didnt have logging on his router so from the best I could do (netstat at time of attack and afterwards) it seemed that vigilance.phaseburn.net was responsible.
Anyway today I found a lot of these in my router's logs...
2004/04/10 01:19:08 ** TCP SYN Flooding ** <IP/TCP> 66.101.19.2:45483 ->> 12.221.234.180:411
First IP address is his.
That IP address translates into shazbot.phaseburn.net
Anyway, I contacted the owner of phaseburn.net. And I sent him my logs. He replied with this...
Quote:
Well, vigilance.phaseburn.net is a public IRC server with anywhere
between 5 to 8 thousand users on it...
It's also not capable of synflooding anybody due to the fact that it can
only send/receive SYN's to/from port 6667, the server linking port for
the network it's on, and port 22 from a selected /24. So if they're
getting syn floods from vigilance, it's definatly spoofed.
That makes me think that your logs may also be of spoofed IPs. Just to
be safe, I've -j DROP'd all data packets from shazbot going to your
IP... while I can't guarantee it will help, or that it won't, it's the
best I can do at the moment. I don't see anything on either server that
could cause this...
|
So does anyone have any ideas?
Mainly, I'm wondering about if it is possible that someone spoofed his IP with theirs?