Strange http connection

**csengineer** · 08-12-2009

I do see there is an attack in our server and able to see the http connections as mentioned below

netstat -anp |grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort

1 78.60.147.216
18 208.51.221.64
1 84.169.231.166
1 96.235.185.46
2 202.156.10.11
2 208.76.83.136
25 204.8.241.140
25 66.29.214.168
31 74.86.121.93
320
3 60.49.62.207
37 74.125.77.121

We do see a connection with count 320 connections with out any ip address and could not find the ip address from which it is establishing the connection in large number.

Any suggestions are appreciated.

**Lazydog** · 08-12-2009

You could block/drop all packets that do not have a source address at the firewall.

**csengineer** · 08-13-2009

Could you let me know how to do that (with iptables)???

**Lazydog** · 08-13-2009

You should first try this in a test env to ensure nothing else will be affected.

Code:

iptables -A <INPUT/FORWARD> -s 0.0.0.0/32 -j DROP

Using either INPUT or FORWARD as needed because I do not know where and how your firewall is setup. You could also add an interface to this rule so it is only applied to that interface and so on. This is just a basic rule. You should already be dropping new packets that are not syn packets.

**vishesh** · 08-15-2009

You can also use
etc/hots.deny

thnks

Thread Tools

Display

Strange http connection

host.deny

Posting Permissions