RE: [cobalt-security] syn_flood dos attack

Sun, 30 Dec 2001 13:12:14 -0800 

Could it be... that the remote servers are infected with Nimda (or similar)?

All the variants of those worms work sequentially through a bunch of /24
networks, starting with the one they are on and working outwards either
side. They all attempt to connect to port 80.

Now the question for me is: why is your IP stack sitting at SYN_RECV instead
of ESTABLISHED, CLOSE_WAIT or FIN_WAIT? Apache shouldn't be locking up - it
should just spit back the appropriate HTTP error (if there is one!) and then
ACK/ACK-FIN/FIN-ACK/RST the connection.

I suspect as it's an XTR and there were many things wrong with them that
there's either a kernel bug or Apache is broken. And it's not 'attacks',
strictly speaking. Have you looked in your Apache error logs?

Graeme



> ----------
> From:         Jordan Lowe
> Reply To:     [EMAIL PROTECTED]
> Sent:         Sunday, December 30, 2001 20:28 PM
> To:   [EMAIL PROTECTED]
> Subject:      [cobalt-security] syn_flood dos attack
> 
>  
> I'm having a issue on an old raq XTR (yes, the ones that have been
> recalled) with multiple ip addresses attacking port 80 on the server.
>  
>  
> [root /etc]# netstat -n | grep SYN
> tcp        0      0 64.94.47.100:80         165.247.32.175:42938
> SYN_RECV
> tcp        0      0 64.94.47.101:80         165.247.32.175:49098
> SYN_RECV
> tcp        0      0 64.94.47.102:80         165.247.32.175:3868
> SYN_RECV
> tcp        0      0 64.94.47.103:80         165.247.32.175:65292
> SYN_RECV
> tcp        0      0 64.94.47.104:80         165.247.32.175:20280
> SYN_RECV
> tcp        0      0 64.94.47.105:80         165.247.32.175:21241
> SYN_RECV
> [SNIP]
>  
> Basically the attack goes all the way through each ip on the server
> (64.94.47.0/24) and locks up apache.
>  
> Every time I block the attacking ip address on the firewall, the attacker
> find another machine to attack from.
>  
> I know this is a firewall issue, but is there a way to stop this from
> happening on the server side?
>  
> The kernel version is 2.2.16C23, which I thought had stopped this attack
> type by timing out syn packets faster.  But- since they're hitting so may
> seperate ip addresses, maybe that has something to do with it?
>  
>  
> 
> Thanks,
> Jordan
>  
> -- 
>  
> Jordan Lowe
> Server Central Network
> (888) 875-4804 x255
>  
>  
> 
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to