Re: question on SYN_SENT

Fri, 11 May 2012 15:18:10 -0700 

On May 11, 2012, at 4:08 PM, Chuck Swiger wrote:

> On May 11, 2012, at 2:09 PM, Chad Leigh Shire.Net LLC wrote:
>> it is my understanding that SYN_SENT is when MY SIDE sends out a request and 
>> is awaiting a reply?
> 
> That's right.
> 
>> One of the jails we run for a customer had hundreds (if not thousands) of 
>> attempts to connect from the 147. address you see below.   It was exhausting 
>> resources so that new tcp connections could not be made until some closed.
> 
> You have/had your jail opening connections to the webserver at IP 
> 147.237.76.155, not that IP trying to connect to you.
> 
>> I added that address to a "pf" block statement to stop it but now we get a 
>> rolling connections in a "netstat -a" as show below (host. being a generic 
>> name used in place of actual host on our side).   I am wondering if this 
>> shows something on our side trying to connect out?  That is what it appears 
>> to me to be, which does not make sense.
>> 
>> 
>> tcp4       0      0 host.52562         147.237.76.155.http    SYN_SENT
>> tcp4       0      0 host.52561         147.237.76.155.http    SYN_SENT
> 
> Yes, your side is trying to connect out.
> Unless you know better, it seems reasonable to gather that it's doing a DoS 
> attack against:

Hi Chuck!

Thanks.  I am investigating as this side should not be going out at all, but 
the SYN_SENT made me think it was.

Thanks
Chad

> 
> % whois 147.237.76.155
> [ ... ]
> inetnum:      147.237.0.0 - 147.237.255.255
> netname:      IL-GOVT-NET
> descr:        Israeli Government Network
> country:      IL
> admin-c:      AT979-RIPE
> tech-c:       TT441-RIPE
> status:       ASSIGNED PI
> mnt-by:       GOV-IL-DNS
> mnt-lower:    GOV-IL-DNS
> mnt-routes:   AS8867-MNT { ANY }
> mnt-routes:   AS9116-MNT { 147.237.232.0/24^24-24 }
> source:       RIPE # Filtered
> 
> person:         Admin Tehila
> address:        Israel Ministry Of Finance
> address:        1 Netanel Lorech st
> address:        Jerusalem  Israel
> phone:          +972 2 6664666
> fax-no:         +972 2 6664650
> remarks:        For ABUSE and security issues please contact
> remarks:        email: ab...@tehila.gov.il
> remarks:        or contact CERT.gov.il at rep...@cert.gov.il
> nic-hdl:        AT979-RIPE
> source:         RIPE # Filtered
> 
> Regards,
> -- 
> -Chuck
> 

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to