>Number: 4761
>Category: general
>Synopsis: getting either dos attack or syn flood attacked
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache
>State: open
>Class: support
>Submitter-Id: apache
>Arrival-Date: Sat Jul 24 10:30:01 PDT 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.6
>Environment:
[EMAIL PROTECTED] bob]$ uname -a
Linux ns.science-discover.net 2.2.5-22 #1 Wed Jun 2 08:45:51 EDT 1999 i586
unknown
installed the rpm from the redhat release 6.0
running the server with all non IP virtual hosts
>Description:
Hi,
I have a site http://www.science-discover.net and this site is now
being syn attacked which is stopping the apache server only ftp and telnet
ssh work fine.
I get no error messages or access messages from the server. When I
start up the server it will not send any pages. If I change the IP address
to a new one then all works fine.
I have used a program called tcpdump on linux to find the www
requests coming in from non existent sites and IP address some of the log
is below. I have checked every where for this problem and no one seems to
have reported it.
apache setup to do non IP vertual hosts. The server worked fine for all
virtual sites up to the point that theses messages started coming in.
some of the tcpdump logs showing what is going on.
12:21:22.011576 9.241.134.73.1947 > ns.science-discover.net.www: S
674719801:674719801(0) win 65535
12:21:22.026358 215.218.0.154.1987 > ns.science-discover.net.www: S
674719801:674719801(0) win 65535
12:21:22.029008 188.213.76.79.2217 > ns.science-discover.net.www: S
674719801:674719801(0) win 65535
This causes apache not to send out any pages for the server.
any help you can give on this would be appreciated.
the server says all processes are up and running when I do a ps aux
it shows all 10 runing and one is owned by root all the rest are owned by nobody
root 2604 0.0 2.0 2424 1252 ? S 11:18 0:00 httpd
nobody 2605 0.0 2.3 2632 1436 ? S 11:18 0:00 httpd
nobody 2606 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2607 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2608 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2609 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2610 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2611 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2612 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2613 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
nobody 2614 0.0 2.1 2608 1332 ? S 11:18 0:00 httpd
>How-To-Repeat:
http://www.science-discover.net
>Fix:
No not yet
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <[EMAIL PROTECTED]> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
