TechSpot

Outpost detected an RST attack....whatizit?

By foycur
Dec 31, 2005
  1. I got two RST attacks from different addresses

    80.218.71.241 and 208.0.107.138 -> 208.0.107.138

    I'm just learning web security, I believe this is a DoS type attack? Does it mean that someone has gotten in, or that outpost blocked it? I tried doing some online research but didn't learn much. Should I block these IP addresses?
     
  2. vhunter

    vhunter TS Rookie Posts: 84

    Most likely, Outpost blocked it. Check your logs and look for the IPs to see what Outpost did. It probably wasn't a DoS attack, since you're on the Internet, but if it happens again, you may have a problem.
     
  3. jobeard

    jobeard TS Ambassador Posts: 8,958   +587

    Because a typical DoS attack uses a random IP as the source IP, it is likely that the source IP or machine (if it exists) will send a reset packet (RST /ACK) packet back to the server, saying it did not make the connection request. What happens even more often is that the IP address will not exist (because it is a random number); the server will keep trying to initiate a connection by resending SYN/ACK and then RST/ACK (because it didn't get any ACK back) packets back to the bogus source IP address.

    All this creates incomplete or half-open connections, which is why we need to time-out these connections by creating a value called SynAttackProtect.

    To create the SynAttackProtect value, right-click in the right-hand pane of the Registry Editor and select New > DWORD Value. You should see the same default value name assigned to this value called New Value #1, ...

    google for SynAttackProtect registry setting
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...