Find the answer to your Linux question:
Results 1 to 2 of 2
Hi all, This morning, a web server of mine was being attacked. After i blocked the range of ip that keep trying to establish connection, i got this list of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2009
    Posts
    10

    Netstats (with lotsa Time_wait) --- new to networking


    Hi all,

    This morning, a web server of mine was being attacked. After i blocked the range of ip that keep trying to establish connection, i got this list of connection below. (but this ip is not the same as the ips that try to flood the system)

    i am not sure if i am make any sense. but i hope somebody with similar experience can tell me what is actually going on

    below is what i see when i do a netstats -anp

    -----------------------

    Code:
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58627 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58626 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58629 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58628 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58631 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58630 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58633 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58632 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58635 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58634 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58637 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58636 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58639 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58638 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58640 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58643 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58642 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58645 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58646 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58649 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58648 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58651 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58650 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58653 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58652 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58655 TIME_WAIT   -
    tcp        0      0 ::ffff:203.117.31.247:80    ::ffff:203.117.187.17:58654 TIME_WAIT   -
    --------------------------------------

    Q1) how do i determine whether this is an outgoing connection from 203.117.31.247 to 203.117.187.17

    or an incoming connection from 203.117.187.17 to 203.117.31.247

    Q2) why are there so many random ports connection to 203.117.187.17 ?

    Q3) What is actually TIME_WAIT (i googled around it has actually something to do with closing of connections)

    is it because that during the attacked earlier on, my http server is so jammed up that it has problem closing connection ? or what ?

    i have blocked 203.117.187.17 in my iptables, but i am afraid i might be blocking for the wrong reason and cause.


    please advise.

    Regards,
    Noob

  2. #2
    Just Joined!
    Join Date
    Aug 2012
    Posts
    15
    Syn Flood Protection on linux
    You can turn on syncookies proection for SYN flood attack by adding the following line to /etc/sysctl.conf.
    net.ipv4.tcp_syncookies = 1

    Some systems can mis-detect a SYN Flood when being scanned for open proxies, as commonly done by IRC servers and services. These are not SYN Floods, merely an automated system designed to check the connecting IP.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •