What is a SYN port attack?

I just installed a firewall and it blocked a SYN port attack. I traced it and have the contact information. Is there foul play going on here?

over the course of time its a big deal. 1 or two here and there not really a big deal. Sometimes it simply means your computer is getting pinged from an address it cannot respond to. If it becomes a pattern, there may be a problem. Sometimes firewalls misreport pings as attacks.

You're going to want multiple opinions on this, as Im not the be-all-end-all expert on that shit. It could be that your computer is getting probed for exploitation, pings are a method hackers use to find exploitable computers.

it usually comes from a spoofed address, which sends a bunch of SYN packets at your 'puter, and when your 'puter SYN-ACK's back, it can't find the host, so it it retries(five times, actually) it uses resources, each SYN attack can be 3 minutes, so the idea is they spam SYN packets at you and your resources get so low your puter can't take on any more connections, and you lose service.

But if it's just one, all a SYN packet is, is a TCP connection request.

I highly doubt your vulnerable behind your firewall.

Someone asked your computer "Are you there?". Your computer responded "Yes? What do you want?" and never heard from them again. Many times.

Probably not someone targetting you specifically, more likely a script kiddie (cyber vandal), who is using the computer that attacked yours (not likely its even their own) to attack random targets of opportunity.

I wouldn't worry about it unless I saw many of them from the same address range.

Aren't you glad you have a firewall? =)


http://docsrv.sco.com:507/en/NetAdminG/nwRs_SYNflood.html

A ``SYN flood'' is a Denial of Service attack that takes advantage of the TCP ``three way handshake'' protocol. A SYN is a type of TCP packet sent to initiate a connection with a listening TCP port. The port responds with a SYN/ACK to the initiating port, and places the SYN packet in a partial connections queue. When a corresponding ACK packet is received on the listening port, the validated SYN packet is removed from the partial connections queue and an entry is placed in the established connection queue awaiting a socket connection.

A SYN flood occurs when one or more listening TCP ports are sent large numbers of SYN packets. Such attacks could take various forms, most of which do not adversely affect the attacked system. However, the most potentially harmful attack sends SYN packets in which the client address refers to a system which does not exist. In this case, SYN packets remain in the TCP partial connection queue for each listening port that is attacked, unable to complete because the SYN/ACK cannot be routed to a bogus address. If the queues are too small and packets awaiting response remain on the queues, the TCP stack refuses to accept any connections until the bogus packets have timed out.