Modern Day SYN-Flood?
First, Merry Christmas to all!
Next, and the reason for the post: I seem to be the victim of an annoying,
yet not debilitating, attack which looks very much like a SYN-FLOOD.
I have not heard of any modern day SYN-FLOOD attached being used, or perhaps
I have been somewhat shielded. The attack is directed at my Linux server.
Other than my anti-spam web page, I cannot seem to think what would provoke
such an attack.
In any event, as with most SYN-floods, the source address is spoofed. I am
seeing the following types of data when I querry my current network
connections (netstat n).
tcp 0 1 <my ip>:40690 220.127.116.11:80 SYN_SENT
tcp 0 1 <my ip>:40626 18.104.22.168:80 SYN_SENT
tcp 0 1 <my ip>:40434 22.214.171.124:80 SYN_SENT
tcp 0 1 <my ip>:40370 126.96.36.199:80 SYN_SENT
tcp 0 1 <my ip>:40533 188.8.131.52:80 SYN_SENT
tcp 0 1 <my ip>:40279 184.108.40.206:80 SYN_SENT
tcp 0 1 <my ip>:40344 220.127.116.11:80 SYN_SENT
There are literally hundreds of them, and the IP address changes through an
endless loop. It seems to work its way through the complete realm of IP
possibilities, be they existent or otherwise.
Now my linux server is not having any problem with this. Thanks to many of
the anti-flood items (ala SYN Cookies), the server is running a nice low load
average, plenty of vm, etc.
However, the attack is sucking down some bandwith. Currently the attack is
sustaining a someplace around 120 240k just enough to be annoying. You
can see the jump in usage on my mrtg install here:
So far I have been unable to find, track-down, or block this attack. Dose
anyone have any experience, ideas, etc? I would hate to just wait them out
it seems so
Any help would be greatly appreciated!
David A. Flanigan
Unfortunately, you cannot really do anything about this to save your bandwidth. You do not have control of the traffic until it reaches your outtermost piece of equipment (in this case, your server). You could drop traffic from that whole subnet (18.104.22.168/16), but the packets would still get to the server thereby sucking your bandwidth. I would try (for grins) reporting to the owners of that IP block just in case they have an infected machine somewhere on that network (it is always worth the 45 seconds that it takes to whois and type up an e-mail). Other than that, I cannot really suggest anything.
Merry Christmas to yourself, too. :)