The main problem with a genuine syn flood is that the attackers can very simply spoof the source IP address on the attacking packets. Because the attackers only sends a SYN packet he/she doesn't need to receive any ACK packets, allowing him to randomly choose a source IP address. ----- Original Message ----- From: Jordan Lowe <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: 30 December 2001 20:28 Subject: [cobalt-security] syn_flood dos attack
I'm having a issue on an old raq XTR (yes, the ones that have been recalled) with multiple ip addresses attacking port 80 on the server. [root /etc]# netstat -n | grep SYN tcp 0 0 64.94.47.100:80 165.247.32.175:42938 SYN_RECV tcp 0 0 64.94.47.101:80 165.247.32.175:49098 SYN_RECV tcp 0 0 64.94.47.102:80 165.247.32.175:3868 SYN_RECV tcp 0 0 64.94.47.103:80 165.247.32.175:65292 SYN_RECV tcp 0 0 64.94.47.104:80 165.247.32.175:20280 SYN_RECV tcp 0 0 64.94.47.105:80 165.247.32.175:21241 SYN_RECV [SNIP] Basically the attack goes all the way through each ip on the server (64.94.47.0/24) and locks up apache. Every time I block the attacking ip address on the firewall, the attacker find another machine to attack from. I know this is a firewall issue, but is there a way to stop this from happening on the server side? The kernel version is 2.2.16C23, which I thought had stopped this attack type by timing out syn packets faster. But- since they're hitting so may seperate ip addresses, maybe that has something to do with it? Thanks, Jordan -- Jordan Lowe Server Central Network (888) 875-4804 x255 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
