Well, I tried using the iptables stuff- (echo 1 > /proc/sys/net/ipv4/tcp_syncookies), and I still see the syn stuff, but I think its working. Apache hasn't crashed yet, which is great. Thanks Nico, I appreciate the info.
Thanks, Jordan -- Jordan Lowe Server Central Network (888) 875-4804 x255 Date: Tue, 01 Jan 2002 13:29:54 +0100 To: [EMAIL PROTECTED] From: Nico Meijer <[EMAIL PROTECTED]> Subject: Re: [cobalt-security] syn_flood dos attack Reply-To: [EMAIL PROTECTED] Hi Jordan, >I'm having a issue on an old raq XTR (yes, the ones that have been >recalled) with multiple ip addresses attacking port 80 on the server. > > >[root /etc]# netstat -n | grep SYN >tcp 0 0 64.94.47.100:80 165.247.32.175:42938 SYN_RECV >tcp 0 0 64.94.47.101:80 165.247.32.175:49098 SYN_RECV >tcp 0 0 64.94.47.102:80 165.247.32.175:3868 SYN_RECV >tcp 0 0 64.94.47.103:80 165.247.32.175:65292 SYN_RECV >tcp 0 0 64.94.47.104:80 165.247.32.175:20280 SYN_RECV >tcp 0 0 64.94.47.105:80 165.247.32.175:21241 SYN_RECV >[SNIP] Are there *many* more? >Basically the attack goes all the way through each ip on the server >(64.94.47.0/24) and locks up apache. Hmmm... This has happened to a machine (non-RaQ) of mine aswell. All IPs belong to broadband ISPs in either USA or Canada and the IPs are unreachable (which would indeed indicate a SYN flood with spoofed IPs). On this machine, the number of connections in SYN_RECV state are hardly ever more than 20-30, so I can't really call it a 'flood'. I have a limited number of IPs on that machine and apache keeps running perfectly. >Every time I block the attacking ip address on the firewall, the attacker >find another machine to attack from. Indeed. >I know this is a firewall issue, but is there a way to stop this from >happening on the server side? Hardly a firewall issue, IIRC; it can be fixed within the kernel. Try this as root: echo 1 > /proc/sys/net/ipv4/tcp_syncookies But check the path first; this is from memory. If it works, add it to rc.local. Good luck... Nico --__--__-- Message: 2 Date: Tue, 1 Jan 2002 16:27:55 +0000 From: Nick Drage <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [cobalt-security] syn_flood dos attack Reply-To: [EMAIL PROTECTED] On Tue, Jan 01, 2002 at 01:29:54PM +0100, Nico Meijer wrote: > >I'm having a issue on an old raq XTR (yes, the ones that have been > >recalled) with multiple ip addresses attacking port 80 on the server. As has been pointed out elsewhere, do ensure that this is a genuine SYN flood, rather than an annoyance. If there isn't an absolute barrage of packets, it could be a broken router, firewall or proxy server ( especially as its port 80 ) in the way. The broken device is sending the SYN to you, you're replying with an ACK, which at some point is then incorrectly dropped or misrouted on the way back; so you get a kind of gentle SYN flood effect. -- Nick Drage - Security Architecture - Demon Internet "A lonely voice Echoing through the wilderness Request Timed Out" --__--__-- _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
