Short answer - It's not an attack. Don't worry about it.
It's coming from one of Panther's servers (216.207.216.11).
Long answer - Yawn ZZZzzz...
The alert was probably "intrusion.generic.tcp.flags.bad.combine.attack" instead of "intrusion.generic.tcp.flags.combine.attack".
I'm guessing you use Kaspersky. Just a guess.
Without going into a full-blown "TCP/IP 101" class here, in order for computers to communicate with each other, each TCP/IP packet header contains certain bytes of information that, in the equivalent of radio communications, would be like saying, "Over" when you finish what you are saying, and the other computer saying, "Acknowledged" that they have received and understood what you said.
One of the bytes in a header can contain 8 bits that can be set (flagged) to ON or OFF to alter the meaning of the bit.
TCP flags include ACK (acknowledge), SYN (synchronize), FIN (finished), RST (reset), URG (urgent), and PSH (pushes data without regard to buffers), there are others.
One way for a hacker to get around a firewall is to combine different TCP flags that normally aren't used together, like, for example, in combining SYN and FIN together when scanning a computer in order to find out which system it is running.
It is highly unlikely that a Panther server would be configured to use such a method to scan computers that are logging on to the system. There are easier ways of finding out what system and browser you are using when you log on, particularly since your computer offers up that information without being asked for it in the first place.
So, it's one of two things going on here. One is the Panther's servers are misconfigured, which wouldn't surprise me seeing how their Javascript won't work with anything other than MSIE. That's the mark of bad programming, and if the same programmers are in charge of the server configurations, there ya go.
Now, it could also be that they are using the Javascript on the far less secure MSIE browser platform specifically in order to get some information about your system that they really don't need to know, and it's why the scripts don't work on Firefox (because Firefox won't give it up regardless). But that's so unlikely. One in a million. No reason to do so. (For example, the first time a military contractor logged on to Panther's Web site and detected such an attack would be that last time Panther hauled a military load of any kind.)
Most likely, the problem is with certain firewalls (Kaspersky in particular, but a few others) and proxy servers, along with a possibly slight misconfiguration of the Panther server software. I say possibly slight because they could change a couple of things that would solve the problem, but it's not really their problem, and it's not really a problem to begin with.
If you're at home and your ISP does not utilize a proxy server in any way, nor so you use any kind of "speed up" software, and you still get the error, then it's definitely a server configuration problem (or you definitely use Kaspersky). But, when you access the net from the road, from truck stops, wireless aircards, most motels, those ISP's are running all of your Internet traffic through their own proxy servers (NAT servers) and then send your data out onto the net.
TCP packets getting passed back and forth between proxy servers can sometimes get altered or confused, even to the point where some of the flags are changed, or rather appear to have been changed, to the point where it looks like bad combinations of TCP flags are being used.
A good firewall will catch a bad.flag.combine attack, a bad firewall won't. But a marginal firewall one will err on the side of caution and not be able to tell the difference between an actual bad.flag.attack attack (one where the other computer initiates things) and one that merely appears to be an attack (one where your computer initiates things and is then attacked by the computer that you just logged on to).
Slow and steady, even in expediting, wins the race - Aesop
