delphij's Chaos


22 Jun 2004 under SYNFLOOD attack!

I have watched spurious SYN messages and apparantly this has affected’s networking subsystem, namely, its mail system. The attack is from

Whois indicates is:

inetnum: -
netname:      NINET
descr:        Net-Infinity Technology Development Ltd
descr:        China Internet Service Provider, Beijing
country:      CN
admin-c:      EC168-AP
tech-c:       EC168-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-NI
changed: 20020108
source:       APNIC
person:       Ellis Cheung
address:      Level B3, Tower E1
address:      The Towers, Oriental Plaza
address:      No. 1 East Chang An Ave.
address:      Dong Cheng District
address:      Beijing, 100738, China
country:      CN
phone:        +86-10-81586260
fax-no:       +86-10-81586287
nic-hdl:      EC168-AP
mnt-by:       MAINT-CN-NI
changed: 20011217
source:       APNIC

Is this a worm, or an attacker? Not sure.

Apparantly, the security mechanism in BJUT did NOT protected As I have stated before, it must protect itself, rather than relying on the badly designed firewall. It’s not a fault of Cisco firewall, but a bad design by the corporation which has designed the firewall system, they apparantly lied.

After enabling pf(4)’s SYN PROXY mechanism, the attack seems to be mitigated. I am not sure whether it is actually defeated, though, but at least, from the log, it does not do anything useful for the attacker.

Archived: 2 Comments

BK6111CNG | June 23, 2004 4:24 PM


kinux | June 29, 2004 11:53 PM

What kind of the SYN FLOOD, why don’t try to use sniffer capture the packets..
But you may try to install SNORT, there should have some rules help you to check what kind of the attack and give you alert..