Find the answer to your Linux question:
Results 1 to 2 of 2
All, First, Merry Christmas to all! Next, and the reason for the post: I seem to be the victim of an annoying, yet not debilitating, attack which looks very much ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2005
    Posts
    1

    Modern Day SYN-Flood?


    All,

    First, Merry Christmas to all!

    Next, and the reason for the post: I seem to be the victim of an annoying,
    yet not debilitating, attack which looks very much like a SYN-FLOOD.

    I have not heard of any modern day SYN-FLOOD attached being used, or perhaps
    I have been somewhat shielded. The attack is directed at my Linux server.
    Other than my anti-spam web page, I cannot seem to think what would provoke
    such an attack.

    In any event, as with most SYN-floods, the source address is spoofed. I am
    seeing the following types of data when I querry my current network
    connections (netstat –n).

    tcp 0 1 <my ip>:40690 147.15.219.78:80 SYN_SENT
    tcp 0 1 <my ip>:40626 147.15.219.14:80 SYN_SENT
    tcp 0 1 <my ip>:40434 147.15.218.76:80 SYN_SENT
    tcp 0 1 <my ip>:40370 147.15.218.12:80 SYN_SENT
    tcp 0 1 <my ip>:40533 147.15.218.176:80 SYN_SENT
    tcp 0 1 <my ip>:40279 147.15.217.176:80 SYN_SENT
    tcp 0 1 <my ip>:40344 147.15.217.241:80 SYN_SENT

    There are literally hundreds of them, and the IP address changes through an
    endless loop. It seems to work its way through the complete realm of IP
    possibilities, be they existent or otherwise.

    Now my linux server is not having any problem with this. Thanks to many of
    the anti-flood items (ala SYN Cookies), the server is running a nice low load
    average, plenty of vm, etc.

    However, the attack is sucking down some bandwith. Currently the attack is
    sustaining a someplace around 120 – 240k – just enough to be annoying. You
    can see the jump in usage on my mrtg install here:

    http://www.flanigan.net/mrtg/67.36.1...ethernet0.html

    So far I have been unable to find, track-down, or block this attack. Dose
    anyone have any experience, ideas, etc? I would hate to just wait them out –
    it seems so… unjust.

    Any help would be greatly appreciated!

    --
    Kind Regards,
    David A. Flanigan

    dave@flanigan.net
    http://www.flanigan.net

  2. #2
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Unfortunately, you cannot really do anything about this to save your bandwidth. You do not have control of the traffic until it reaches your outtermost piece of equipment (in this case, your server). You could drop traffic from that whole subnet (147.15.0.0/16), but the packets would still get to the server thereby sucking your bandwidth. I would try (for grins) reporting to the owners of that IP block just in case they have an infected machine somewhere on that network (it is always worth the 45 seconds that it takes to whois and type up an e-mail). Other than that, I cannot really suggest anything.

    Merry Christmas to yourself, too.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •