At 05:58 PM 7/22/2002, you wrote: >Hi there, > >I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to both) >with near 150 customers in it, a few weeks ago the server suddenly stopped >responding, first once a day, but now it's a nightmare.. sometimes it >stays for days ok, then some day.. we start receiving SYN_RECV packets and >the server dies. > >Changed from raq3 to raq4 and today the history repeated again. > >I've used tcp_syn_cookies, I have tried lots of ipchains firewalls, and >nothing seems to help. Oh, adnd yes, I've installed until the latest >patch. The last thing I did was to create a script I run every 2 minutes >and detects SYN_RECV connections, if more than 15 are detected, then those >IPs are banned (ipchains) it has somehow stopped attacks, but it's not >perfect... somehow the bastard do the nasty in those 2 minutes and kill my >server. > >Reading in the internet I found that it's a problem affecting old 2.2.x >kernels (x<17 I think).. if you use a firewall and also set tcp_syncookies >to 1 somehow you are in danger. My concern is that I can NOT wait any >longer for cobalt to release a new kernel, I've waited like 2 months and >no new updates regarding kernels. Is there ANY workaround I can do in >order to avoid syn attacks? My clients are very upset with me because of >the constant failures and I have no life.. saturday night, sundays early >in the morning, friday afternoon, at any time my system has to be rebooted... > >Please, help. > >Ernesto >PS: My system has like 20 IP addresses I can reduce them, but not too >much, I think that is also helping the attacker to distribute the syn dos.
Does not seem to be the kernel. I mean not the Cobalt kernel. From what I have read, the fix to the kernel from Apache.org stopped the people from taking control of your server. It does not stop what you are getting. The Cobalt kernel has incorporated the changes to the current kernel. If you did the update you have the latest fix by Apache.org. Read this http://www.extremetech.com/article2/0,3973,302776,00.asp It appears the fix to apache just keeps the person from getting root access, not from doing the DOS. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
