Here is a clear example of what I am up against tcp 0 0 192.168.1.3:80 51.189.12.20:44005 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:3241 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:45024 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:45581 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:35868 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:13274 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:61994 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:12884 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:27740 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:42770 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:42194 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:19983 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:65348 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:15570 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:31954 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:20130 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:10930 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:5062 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:63390 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:2011 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:11260 SYN_RECV tcp 0 0 192.168.1.1:80 51.189.12.20:38595 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:62897 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:30273 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:43825 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:7057 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:41971 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:41182 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:10025 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:16376 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:37065 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:57915 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:64800 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:58396 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:854 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:7538 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:46706 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:63466 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:46577 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:26128 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:7494 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:23729 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:60079 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:9427 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:13672 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:22563 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:26838 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:50520 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:41887 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:53727 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:59903 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:11863 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:48149 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:58911 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:29155 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:52098 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:60030 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:1246 SYN_RECV tcp 0 0 192.168.1.3:80 151.189.12.20:35726 SYN_RECV tcp 0 0 192.168.1.1:80 151.189.12.20:25560 SYN_RECV
I am going to block this guy and figure it out later. William L. Thomson Jr. wrote: > I seem to have allot of entries in my dmesg log like the following > > possible SYN flooding on port 80. Sending cookies. > > Now using netstat I saw some connections similar to > > www.obsidian-studios.com:www 66-182-46-206.atgi:2781 SYN_RECV > > From time to time a particular IP address will have multiple lines like > the one above with multiple connections to each IP site on my server. > > I have begun denying service to certain IP's that look like they are > abusing the server. So far I have denied all access from 6 IP addresses. > > Although I am not to sure if that is what I should have done or not. > > The kernel seems to have tcp_syncookies enabled, which I think is > correct, I can turn it off if it will help. But it is one by default, I > never turned it on. > > Anyway I just want to make sure that I am addressing this situation > properly and not blocking people out of the server who are not trying to > abuse it. > > Is this something I need to be concerned with, and what should I do > about it? It seems that after a period of time even IP that have > multiple SYN_RECV connections end up disappearing. I am starting to > second guess my decision to block out those IP's. > > Any comments advice. Either is greatly appreciated. > -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax 707.766.8989 http://www.obsidian-studios.com _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
