I'm having a issue on an old raq XTR (yes, the
ones that have been recalled) with multiple ip addresses attacking port 80 on
the server.
[root /etc]# netstat -n | grep
SYN
tcp 0 0 64.94.47.100:80 165.247.32.175:42938 SYN_RECV tcp 0 0 64.94.47.101:80 165.247.32.175:49098 SYN_RECV tcp 0 0 64.94.47.102:80 165.247.32.175:3868 SYN_RECV tcp 0 0 64.94.47.103:80 165.247.32.175:65292 SYN_RECV tcp 0 0 64.94.47.104:80 165.247.32.175:20280 SYN_RECV tcp 0 0 64.94.47.105:80 165.247.32.175:21241 SYN_RECV [SNIP] Basically the attack goes all the way through each
ip on the server (64.94.47.0/24) and locks up apache.
Every time I block the attacking ip address on the
firewall, the attacker find another machine to attack from.
I know this is a firewall issue, but is there a way
to stop this from happening on the server side?
The kernel version is 2.2.16C23, which I thought
had stopped this attack type by timing out syn packets faster. But- since
they're hitting so may seperate ip addresses, maybe that has something to do
with it?
Thanks, Jordan --
Jordan Lowe
Server Central Network (888) 875-4804 x255 |