[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] syn_flood dos attack
- Subject: RE: [cobalt-security] syn_flood dos attack
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Sun, 30 Dec 2001 21:10:02 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Could it be... that the remote servers are infected with Nimda (or similar)?
All the variants of those worms work sequentially through a bunch of /24
networks, starting with the one they are on and working outwards either
side. They all attempt to connect to port 80.
Now the question for me is: why is your IP stack sitting at SYN_RECV instead
of ESTABLISHED, CLOSE_WAIT or FIN_WAIT? Apache shouldn't be locking up - it
should just spit back the appropriate HTTP error (if there is one!) and then
ACK/ACK-FIN/FIN-ACK/RST the connection.
I suspect as it's an XTR and there were many things wrong with them that
there's either a kernel bug or Apache is broken. And it's not 'attacks',
strictly speaking. Have you looked in your Apache error logs?
Graeme
> ----------
> From: Jordan Lowe
> Reply To: cobalt-security@xxxxxxxxxxxxxxx
> Sent: Sunday, December 30, 2001 20:28 PM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] syn_flood dos attack
>
>
> I'm having a issue on an old raq XTR (yes, the ones that have been
> recalled) with multiple ip addresses attacking port 80 on the server.
>
>
> [root /etc]# netstat -n | grep SYN
> tcp 0 0 64.94.47.100:80 165.247.32.175:42938
> SYN_RECV
> tcp 0 0 64.94.47.101:80 165.247.32.175:49098
> SYN_RECV
> tcp 0 0 64.94.47.102:80 165.247.32.175:3868
> SYN_RECV
> tcp 0 0 64.94.47.103:80 165.247.32.175:65292
> SYN_RECV
> tcp 0 0 64.94.47.104:80 165.247.32.175:20280
> SYN_RECV
> tcp 0 0 64.94.47.105:80 165.247.32.175:21241
> SYN_RECV
> [SNIP]
>
> Basically the attack goes all the way through each ip on the server
> (64.94.47.0/24) and locks up apache.
>
> Every time I block the attacking ip address on the firewall, the attacker
> find another machine to attack from.
>
> I know this is a firewall issue, but is there a way to stop this from
> happening on the server side?
>
> The kernel version is 2.2.16C23, which I thought had stopped this attack
> type by timing out syn packets faster. But- since they're hitting so may
> seperate ip addresses, maybe that has something to do with it?
>
>
>
> Thanks,
> Jordan
>
> --
>
> Jordan Lowe
> Server Central Network
> (888) 875-4804 x255
>
>
>