Hi there, I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to both) with near 150 customers in it, a few weeks ago the server suddenly stopped responding, first once a day, but now it's a nightmare.. sometimes it stays for days ok, then some day.. we start receiving SYN_RECV packets and the server dies.
Changed from raq3 to raq4 and today the history repeated again. I've used tcp_syn_cookies, I have tried lots of ipchains firewalls, and nothing seems to help. Oh, adnd yes, I've installed until the latest patch. The last thing I did was to create a script I run every 2 minutes and detects SYN_RECV connections, if more than 15 are detected, then those IPs are banned (ipchains) it has somehow stopped attacks, but it's not perfect... somehow the bastard do the nasty in those 2 minutes and kill my server. Reading in the internet I found that it's a problem affecting old 2.2.x kernels (x<17 I think).. if you use a firewall and also set tcp_syncookies to 1 somehow you are in danger. My concern is that I can NOT wait any longer for cobalt to release a new kernel, I've waited like 2 months and no new updates regarding kernels. Is there ANY workaround I can do in order to avoid syn attacks? My clients are very upset with me because of the constant failures and I have no life.. saturday night, sundays early in the morning, friday afternoon, at any time my system has to be rebooted... Please, help. Ernesto PS: My system has like 20 IP addresses I can reduce them, but not too much, I think that is also helping the attacker to distribute the syn dos. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
