How to detect an intranet SYN flood?


This Content is from ServerFault. Question asked by EyeQ Tech

I got this problem: whenever I plug a Linux-server into the intranet, the whole network slows down and then die. Every ping/ssh connection between the intranet yields time out.
I unplugged it, then everything came back to normal. Searching around suggested me (note, this is my assumption, I can be wrong) it might be an internal SYN flood attack, somehow a malware got into the culprit machine and did a SYN flood attack to the router.

I can log in to the suspected machine, via direct GUI, which Linux command I should start to inspect.



This question is not yet answered, be the first one who answer using the comment. Later the confirmed answer will be published as the solution.

This Question and Answer are collected from serverfault, is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?