RE: HELP: NOT SOLVED ! ! looks like a SYN attack
Eric, >And I've got 759 kernel warning possible SYN flood from (always unique IPs) on >our.mail.server.com since sometime early on the 21st. > >Is this really a DoS attack, and if so how can we stop it? Not necessarily: I've met 'Possible SYN flood... sending cookies' type messages on a heavily loaded Linux box. In fact it was saying 'Help, I've run out of resources'. In our case it was CPU, since we had a broken application running on the box, that deadlocked files and put processes into extremely long (not quite infinite) loops. We fixed the application, upgraded the hardware for good measure, and nowadays the box handles twice the load with panache. I'd also suggest upgrading your kernel to the newest possible release, since sometimes this solves problems you didn't know you had. cheers, Andrew Richards.
Re: HELP: NOT SOLVED ! ! looks like a SYN attack
Eric Dahnke writes: > And I've got 759 kernel warning possible SYN flood from (always unique IPs) on > our.mail.server.com since sometime early on the 21st. > > Is this really a DoS attack, and if so how can we stop it? Make sure that your log files are cycled frequently enough to purge the logs, and contact your provider. -- Sam
Re: HELP: NOT SOLVED ! ! looks like a SYN attack
- Eric Dahnke <[EMAIL PROTECTED]>: | And I've got 759 kernel warning possible SYN flood from (always | unique IPs) on our.mail.server.com since sometime early on the 21st. | | Is this really a DoS attack, and if so how can we stop it? Sounds like it. If you can get your hands on the router, or can talk to someone who can, block access from the offending IP in the router itself. Since you have linux, I believe it is possible to compile support for SYN cookies into the kernel, which is considered a reasonable defense against SYN flooding attacks. Ask on some Linux related list, unless you find it in your docs already. - Harald
Re: HELP: NOT SOLVED ! ! looks like a SYN attack
And I've got 759 kernel warning possible SYN flood from (always unique IPs) on our.mail.server.com since sometime early on the 21st. Is this really a DoS attack, and if so how can we stop it? Eric Dahnke escribió: > It is still the same. Our server won't accept SMTP. > > /var/ now has lots of room, and I've reset the machine a few times already. > > It is a linux box, and qmail-smtpd is started from tcpserver this: > > /usr/local/bin/tcpserver -x /etc/tcp.smtp.cdb -v -u 501 -g 500 0 smtp > /var/qmail/bin/qmail-smtpd 2>&1 | /var/qmail/bin/splogger smtpd 3 & > > Should I just start killing qmail-smtpd processes? > > How to fix this? > > Eric Dahnke escribió: > > > /var/ was 100% full. Too much logging I guess. > > > > - una estupidez > > > > Eric Dahnke escribió: > > > > > Heeelllppp, > > > > > > I'm fairly new to live mail server maintenence, but it almost seems like > > > a DoS. > > > > > > The server is never very busy, it does about 7000 deliveries per day. > > > > > > There are about 44 qmail-smtp processes running, quit a few more than > > > usual and a telnet to port 25 just hangs. > > > > > > qmail-queue zombie processes keep showing up. (now up to five) > > > > > > I've already reset the machine once. When it came back it was ok for > > > about 2 minutes, then the same, lots of qmail-smtp and no port 25 > > > response. > > > > > > Telnet 110 responds no problem, and the load average is 0.3 or something > > > way low. > > > > > > What is happening and how can I fix it! - thx - eric
