Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

wired SYN_SENT flood

  • Filter
  • Time
  • Show
Clear All
new posts

  • wired SYN_SENT flood

    hi all,
    I'm running win2k3 enterprise edition as web server using both IIS6 and apache , php5 , hMailserver , Mysql and Serv-U Ftp
    i'm using ClamWin as the main antivirus scanner and a tool from trend micro for threats removal but i cannot update both of them
    because i cannot resolve domain names to IPs either in web browser or via test connectivity ping also i cannot resolve microsoft domain name nslookup works very fine please refer to the attached photo for details
    when i do ping both update servers please see pic
    even i'm using OpenDns servers as the name servers
    by the way i changed name servers to another name server but still the same
    heres the error from Clamwin update manager
    ClamAV update process started at Thu May 21 17:34:15 2009
    main.cld is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
    WARNING: Can't get information about Unknown error
    WARNING: getpatch: Can't download daily-9370.cdiff from
    WARNING: Can't get information about Unknown error
    Trying again in 5 secs...

    till now it seems like a DNS resolution problem
    I noticed a wired SYN_SENT flood , i ran netstat -ano to see in/outbound connections
    i got the following
    netstat -ano | find " SYN_SENT"
    TCP SYN_SENT 940
    TCP SYN_SENT 940
    TCP SYN_SENT 940
    TCP SYN_SENT 940
    TCP SYN_SENT 940
    TCP SYN_SENT 940
    TCP SYN_SENT 940
    TCP ...............
    the output truncated for brevity
    the PID 940 belongs to svchost.exe
    how can i solve the SYN_SENT problem because i got load of them maybe 80 connection request or more
    i scanned the server for viruses but i found nothing
    also i cannot resolve

    any ideas
    Thanks in advance .
    Attached Files
    Last edited by [email protected]; 21st May 2009, 21:29. Reason: add new information

  • #2
    Re: wired SYN_SENT flood

    Cleared the DNS cache??

    Rebooted the machine??

    Anything in the firewall restirciting the server from contacting the net??


    • #3
      Re: wired SYN_SENT flood

      which svchost process does it belong to ?
      grab the PID of the connection from netstat - eg
      Active Connections

      Proto Local Address Foreign Address State PID
      TCP LISTENING 1840

      gives me PID 1840. Just running tasklist tells me pid 1840 is svchost
      if i run tasklist /svc however, it tells me what's running under that generic application.. for instance... i now know that pid1840 on my workstatio nis the RPC service

      svchost.exe 1772 DcomLaunch, TermService
      svchost.exe 1840 RpcSs

      the difference is in the output: tasklist by itself.
      svchost.exe 1840 Console 0 5,056 K

      from there, you may be able to identify a rogue application....

      also.. isn't port 445 normally an ldap, or other AD-like port ? your machine there is trying to contact public addresses, on port 445.. this is making me quite suspicious..
      Please do show your appreciation to those who assist you by leaving Rep Point


      • #4
        Re: wired SYN_SENT flood

        Thanks for your reply
        by the way i already flushed the DNS cache , rebooted the machine multiple times and i'm using windows built in firewall
        but i didn't try to disable it just for checking i would try to disable it and see what happen after disabling the firewall


        • #5
          Re: wired SYN_SENT flood

          Thanks for your reply
          i would try your tips about grabing the processes and see what comes and i'll post result asap
          by the way what do you mean by
          "the difference is in the output: tasklist by itself.
          svchost.exe 1840 Console 0 5,056 K "
          i couldn't get it


          • #6
            Re: wired SYN_SENT flood

            I disabled the built in firewall but it's still the same DNS resolution
            i ran tasklist /svc
            please note that svchost.exe still have same PID i mentioned above PID 940
            i got the following
            svchost.exe 724 DcomLaunch
            svchost.exe 816 RpcSs
            svchost.exe 888 Dhcp, Dnscache
            svchost.exe 924 LmHosts, W32Time
            svchost.exe 940 AeLookupSvc, Browser, CryptSvc, dmserver,
            EventSystem, helpsvc, HidServ,
            lanmanserver, lanmanworkstation, Netman,
            Nla, Schedule, seclogon, SENS,
            SharedAccess, ShellHWDetection, TrkWks,
            winmgmt, WZCSVC

            also i ran netstat with no options i got the following


            Active Connections

            Proto Local Address Foreign Address State
            TCP elearnsrvr:1041 elearnsrvr:3306 ESTABLISHED
            TCP elearnsrvr:1045 elearnsrvr:3306 ESTABLISHED
            TCP elearnsrvr:2588 elearnsrvr:3306 TIME_WAIT
            TCP elearnsrvr:3041 elearnsrvr:3306 ESTABLISHED
            TCP elearnsrvr:3306 elearnsrvr:1041 ESTABLISHED
            TCP elearnsrvr:3306 elearnsrvr:1045 ESTABLISHED
            TCP elearnsrvr:3306 elearnsrvr:3041 ESTABLISHED
            TCP elearnsrvr:3593 elearnsrvr:3306 TIME_WAIT
            TCP elearnsrvr:4117 elearnsrvr:3306 TIME_WAIT
            TCP elearnsrvr:http TIME_WAIT
            TCP elearnsrvr:epmap elearnsrvr:2298 ESTABLISHED
            TCP elearnsrvr:2298 elearnsrvr:epmap ESTABLISHED
            TCP elearnsrvr:2593 elearnsrvr:imap TIME_WAIT
            TCP elearnsrvr:ms-wbt-server ESTABLISHED
            TCP elearnsrvr:3594 elearnsrvr:imap TIME_WAIT
            TCP elearnsrvr:4143 FIN_WAIT_1
            TCP elearnsrvr:4491 SYN_SENT
            TCP elearnsrvr:4492 SYN_SENT
            TCP elearnsrvr:4493
            TCP elearnsrvr:4494 SYN_SENT
            TCP elearnsrvr:4495
            oft-ds SYN_SENT
            TCP elearnsrvr:4496 SYN_SENT
            TCP elearnsrvr:4497 SYN_SENT
            TCP elearnsrvr:4498 SYN_SENT
            TCP elearnsrvr:4499 SYN_SENT
            TCP elearnsrvr:ipsec-msft SYN_SENT
            TCP elearnsrvr:4501 SYN_SENT
            TCP elearnsrvr:4502 SYN_SENT
            TCP elearnsrvr:4503 SYN_SENT
            TCP elearnsrvr:4504 SYN_SENT
            TCP elearnsrvr:4505 SYN_SENT
            TCP elearnsrvr:4506 SYN_SENT
            TCP elearnsrvr:4507 SYN_SENT
            TCP elearnsrvr:4508 SYN_SENT
            TCP elearnsrvr:4509 SYN_SENT
            TCP elearnsrvr:4510 SYN_SENT
            TCP elearnsrvr:4511 SYN_SENT
            TCP elearnsrvr:4512 SYN_SENT
            TCP elearnsrvr:4513 SYN_SENT
            TCP elearnsrvr:4514 SYN_SENT
            TCP elearnsrvr:4515 SYN_SENT
            TCP elearnsrvr:4516 SYN_SENT
            TCP elearnsrvr:4517 SYN_SENT
            TCP elearnsrvr:4518 SYN_SENT
            TCP elearnsrvr:4519
            oft-ds SYN_SENT
            TCP elearnsrvr:4520 SYN_SENT
            TCP elearnsrvr:4521 SYN_SENT
            TCP elearnsrvr:4522 SYN_SENT
            TCP elearnsrvr:4523 SYN_SENT
            TCP elearnsrvr:4524 SYN_SENT
            TCP elearnsrvr:4525
            oft-ds SYN_SENT
            TCP elearnsrvr:4526 SYN_SENT
            TCP elearnsrvr:4527 SYN_SENT
            TCP elearnsrvr:4528 SYN_SENT
            TCP elearnsrvr:4529 SYN_SENT
            TCP elearnsrvr:4530 SYN_SENT
            TCP elearnsrvr:4531 SYN_SENT
            TCP elearnsrvr:4532 SYN_SENT
            TCP elearnsrvr:4533 SYN_SENT

            o people of expert
            any ideas

            thanks in advance for your help


            • #7
              Re: wired SYN_SENT flood

              It looks to me that based on the large number of SYN_SENT entries on sequential port numbers that someone is running a port space probe against this server. What do you have for a firewall? Try disconnecting your internet connection at your router and see if the SYN_SENT entries go away. If they do then I would look into blocking address and port space probes at the firewall.


              • #8
                Re: wired SYN_SENT flood

                My thoughts are similar to Joe's
                It could be a sign of a SYN Flood.
                Basically engineered SYN packets with no source address (or forged) are targetting your system. Some sort of DoS.
                If that's the case look into this:

                Caesar's cipher - 3


                SFX JNRS FC U6 MNGR


                • #9
                  Re: wired SYN_SENT flood

                  L4ndy and joeqwerty
                  Thanks for your helpful reply
                  @ joeqwerty i cannot disconnect the internet connection now because i'm dealing with the server remotely i'll do it when i'm near from the server and see what happens when i disconnect by the way i'm using the win2k3 built in firewall how can i block addresses and port space probes
                  @ L4ndy I thought that my server is initiating those connections as the entries says
                  TCP elearnsrvr:4533 SYN_SENT
                  SYN_SENT and all targetting different addresses with same port
                  what about DNS resolution problem ping not working also web browser cannot lookup Microsoft website and clamwin and cannot update their databases even nslookup works very fine as shown in picture above


                  • #10
                    Re: wired SYN_SENT flood

                    I can tell you without a doubt that the SYN_SENT connections are an inbound port space probe against the server. I can also tell you without a doubt that the Windows firewall does not protect against a port space probe, it only protects against actual connections. The port space probe that is occurring is not making any connections it's only scanning to determine what ports are open and "listening". I wouldn't wait too long to address it as you run the risk of the server being compromised.


                    • #11
                      Re: wired SYN_SENT flood

                      what about the dns resolution problem what do you think the problem is


                      • #12
                        Re: wired SYN_SENT flood

                        It could be that the NIC on the server is overloaded by the SYN_SENT probe and it's affecting network communications. I would deal with the SYN_SENT issue first and then see where things are at. I hate to be an alarmist but someone is scanning your server and as soon as they build their list of open ports they are going to start trying to break in to the server. If this were happening to me I would drop everything else and tend to it immediately.


                        • #13
                          Re: wired SYN_SENT flood

                          You know, after looking at your netstat output again, here's what I'm thinking:

                          An inbound port scan would result in a large number of SYN_SENT connections from the same external ip address to a sequential list of port numbers on the server. What you have is a large number of SYN_SENT connections from a sequential list of ports on the server to different external ip addresses. Normally a port probe can be identified by a large number of SYN_SENT connections from the same external ip address but you have the opposite.

                          The foreign port listed is microsoft-ds, which is port 445 which is used for SMB (server message block) communications (NetBIOS).

                          I think the server is either already compromised and it's acting as a zombie to probe the external ip addresses or the server's network components are screwed up. Try disabling NetBIOS over TCP/IP on the properties of the server NIC and see if it stops. Also, check the DNS settings on the server again and make sure they're correct. Is this server a memebr of an AD domain?


                          • #14
                            Re: wired SYN_SENT flood

                            Thanks for your invaluable tips
                            by the way i rebooted the machine multiple times and the DNS resolution problem still exist
                            i'm having this problem with some specific hosts such as
                   which is calmwin updates its database
                   which is updates its database
                            please refer to for more info about the tool
                            i made a cmd script ( scheduled task ) to grab updates for as follows using gnu wget

                            pushd c:\SysClean
                            ::winrar x *.zip
                            winrar x -IBCK -o+ *.zip
                            del /F /Q lpt*.* ssap*.*

                            i did an nmap test against my server
                            with the following options and arguments
                            namp -p1 -5000 -T4 -sS
                            i got the following result
                            Starting Nmap 4.75 ( ) at 2009-05-22 22:54 Central Europe Daylight Time
                            Interesting ports on xxx (
                            Not shown: 4992 filtered ports
                            PORT STATE SERVICE
                            21/tcp open ftp
                            25/tcp open smtp
                            80/tcp open http
                            110/tcp open pop3
                            143/tcp open imap
                            443/tcp closed https
                            3306/tcp open mysql
                            3389/tcp open ms-term-serv

                            Nmap done: 1 IP address (1 host up) scanned in 69.06 seconds

                            as a guru do you think i'm in danger with those open ports
                            I'm running both IIS6 and apache as web servers
                            php5 , mysql 5 , serv-U FTP , ( LMS for elearning ) hMailServer as services
                            and what sort of firewalls do you recommend me
                            thanks again
                            Last edited by [email protected]; 22nd May 2009, 22:55.


                            • #15
                              Re: wired SYN_SENT flood

                              No its not AD member its a standalone web server exposed to the internet with real static ip address
                              i already disabled the NetBios on the 1st active NIC and File and printing sharing for Microsoft networks
                              i made extra check the DNS settings all are correct i'm using OpenDNS but i changed them multiple times with different name servers