[EUG-LUG:2387] Re: DOS attacks (SYN Floods) [UPDATE]

Christopher Maujean Tue, 23 Apr 2002 18:51:36 -0700

SYN Flood update:
After setting MAX_CONNECTIONS from 128 to 1024 and having tcp_syncookies 
enabled, we are at a fairly useable level of service with only 350 or so 
connections being hit with SYN Flooding. Not a perfect solution, but a 
useable one until the attacks are stopped. Perhaps security is a bit lower as 
my logs are filled with lines like:


Apr 23 16:51:58 www1 kernel: possible SYN flooding on port 80. Sending 
cookies.
Apr 23 16:52:59 www1 kernel: possible SYN flooding on port 80. Sending 
cookies.
Apr 23 16:54:00 www1 kernel: possible SYN flooding on port 80. Sending 
cookies.
Apr 23 16:56:05 www1 last message repeated 2 times
Apr 23 16:57:11 www1 kernel: possible SYN flooding on port 80. Sending 
cookies.
Apr 23 16:58:37 www1 kernel: possible SYN flooding on port 80. Sending 
cookies.
Apr 23 17:00:37 www1 last message repeated 2 times
Apr 23 17:02:38 www1 last message repeated 2 times
Apr 23 17:03:39 www1 kernel: possible SYN flooding on port 80. Sending 
cookies.

and Its harder to visually scan netstat to see what connections are going on:
<snip>
tcp        0      0 64.42.86.100:80         64.12.96.231:56422      SYN_RECV
tcp        0      0 64.42.86.100:80         152.163.188.39:52190    SYN_RECV
tcp        0      0 64.42.86.100:80         152.163.188.194:46797   SYN_RECV
tcp        0      0 64.42.86.104:80         216.148.246.134:35621   SYN_RECV
tcp        0      0 64.42.86.104:80         208.147.202.87:2150     SYN_RECV
tcp        0      0 64.42.86.104:80         66.150.40.222:52059     SYN_RECV
tcp        0      0 64.42.86.100:80         64.12.96.12:12612       SYN_RECV
tcp        0      0 64.42.86.104:80         208.147.202.87:2152     SYN_RECV
tcp        0      0 64.42.86.100:80         64.124.9.173:11189      SYN_RECV
tcp        0      0 64.42.86.101:80         64.124.9.173:5779       SYN_RECV
tcp        0      0 64.42.86.102:80         64.124.9.173:28176      SYN_RECV
tcp        0      0 64.42.86.103:80         64.124.9.173:20852      SYN_RECV
tcp        0      0 64.42.86.104:80         64.124.9.173:2412       SYN_RECV
tcp        0      0 64.42.86.105:80         64.124.9.173:19340      SYN_RECV
tcp        0      0 64.42.86.106:80         64.124.9.173:19932      SYN_RECV
tcp        0      0 64.42.86.107:80         64.124.9.173:47152      SYN_RECV
tcp        0      0 64.42.86.108:80         64.124.9.173:2227       SYN_RECV
tcp        0      0 64.42.86.109:80         64.124.9.173:25031      SYN_RECV
tcp        0      0 64.42.86.104:80         24.197.125.139:3413     SYN_RECV
tcp        0      0 64.42.86.107:80         24.28.204.122:2511      SYN_RECV
tcp        0      0 64.42.86.100:80         64.12.97.7:5129         SYN_RECV
</snip>

--Christopher


-- 
Christopher Maujean
IT Director, Premierelink Communications
[EMAIL PROTECTED]
http://www.premierelink.com/
541-344-8575x305

---------------------------------------------------------------
I am a meta-syntactic variable.
---------------------------------------------------------------
 46F2 7B62 EFAF 4176
---------------------------------------------------------------

[EUG-LUG:2387] Re: DOS attacks (SYN Floods) [UPDATE]

Reply via email to