Outpost detected an RST attack....whatizit?

Status
Not open for further replies.

foycur

Posts: 112   +0
I got two RST attacks from different addresses

80.218.71.241 and 208.0.107.138 -> 208.0.107.138

I'm just learning web security, I believe this is a DoS type attack? Does it mean that someone has gotten in, or that outpost blocked it? I tried doing some online research but didn't learn much. Should I block these IP addresses?
 
Most likely, Outpost blocked it. Check your logs and look for the IPs to see what Outpost did. It probably wasn't a DoS attack, since you're on the Internet, but if it happens again, you may have a problem.
 
Because a typical DoS attack uses a random IP as the source IP, it is likely that the source IP or machine (if it exists) will send a reset packet (RST /ACK) packet back to the server, saying it did not make the connection request. What happens even more often is that the IP address will not exist (because it is a random number); the server will keep trying to initiate a connection by resending SYN/ACK and then RST/ACK (because it didn't get any ACK back) packets back to the bogus source IP address.

All this creates incomplete or half-open connections, which is why we need to time-out these connections by creating a value called SynAttackProtect.

To create the SynAttackProtect value, right-click in the right-hand pane of the Registry Editor and select New > DWORD Value. You should see the same default value name assigned to this value called New Value #1, ...

google for SynAttackProtect registry setting
 
Status
Not open for further replies.
Back