Hi Jordan, >I'm having a issue on an old raq XTR (yes, the ones that have been >recalled) with multiple ip addresses attacking port 80 on the server. > > >[root /etc]# netstat -n | grep SYN >tcp 0 0 64.94.47.100:80 165.247.32.175:42938 SYN_RECV >tcp 0 0 64.94.47.101:80 165.247.32.175:49098 SYN_RECV >tcp 0 0 64.94.47.102:80 165.247.32.175:3868 SYN_RECV >tcp 0 0 64.94.47.103:80 165.247.32.175:65292 SYN_RECV >tcp 0 0 64.94.47.104:80 165.247.32.175:20280 SYN_RECV >tcp 0 0 64.94.47.105:80 165.247.32.175:21241 SYN_RECV >[SNIP]
Are there *many* more? >Basically the attack goes all the way through each ip on the server >(64.94.47.0/24) and locks up apache. Hmmm... This has happened to a machine (non-RaQ) of mine aswell. All IPs belong to broadband ISPs in either USA or Canada and the IPs are unreachable (which would indeed indicate a SYN flood with spoofed IPs). On this machine, the number of connections in SYN_RECV state are hardly ever more than 20-30, so I can't really call it a 'flood'. I have a limited number of IPs on that machine and apache keeps running perfectly. >Every time I block the attacking ip address on the firewall, the attacker >find another machine to attack from. Indeed. >I know this is a firewall issue, but is there a way to stop this from >happening on the server side? Hardly a firewall issue, IIRC; it can be fixed within the kernel. Try this as root: echo 1 > /proc/sys/net/ipv4/tcp_syncookies But check the path first; this is from memory. If it works, add it to rc.local. Good luck... Nico _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
