tgarrisFRAMELOSS.ORG

• Next message: undef: "virus.beergrave.net"
• Previous message: Matt Conover: "Re: "How Named Pipe Security Works" (update)"
• In reply to: C. K. Lung: "PORT or PASV mode of IIS 4.0's FTP"
• Next in thread: Makoto Shiotsuki: "Re: PORT or PASV mode of IIS 4.0's FTP"
• Reply: Todd Garrison: "Re: PORT or PASV mode of IIS 4.0's FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This sounds alot like SynDefender responding to what it believed was a
syn flood. I have seen many an admin configure SYN flood protection on
their firewall not realizing the consequences. It is a dangerous
feature that I personally don't see the benefit of using, it is more
likely to make your server unavailable than to protect it.

A packet dump would probably be the most helpful - are your connections
normally torn down or do you just get cut off with an RST?

If it is configured for, say 100 SYNs per minute, and you have a
reasonbly quick connection - the 101st SYN packet through the firewall
would cause any connections from your IP to be dropped by the firewall.

>
> The ftp client is trying to "get" 15,000 1-K files from the IIS's FTP
> server, the connection is killed by FW-1 after it got 100 files. The
> fw-log shows that when the client's "source port" hit a "pre-defined
> service (port) in the rulebase, the connection is dropped. CP
> explained that FW-1 thought that it was a security violation.
>

• Next message: undef: "virus.beergrave.net"
• Previous message: Matt Conover: "Re: "How Named Pipe Security Works" (update)"
• In reply to: C. K. Lung: "PORT or PASV mode of IIS 4.0's FTP"
• Next in thread: Makoto Shiotsuki: "Re: PORT or PASV mode of IIS 4.0's FTP"
• Reply: Todd Garrison: "Re: PORT or PASV mode of IIS 4.0's FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]