[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] syn_flood dos attack

Subject: RE: [cobalt-security] syn_flood dos attack
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
Date: Sun, 30 Dec 2001 21:10:02 -0000
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Could it be... that the remote servers are infected with Nimda (or similar)?

All the variants of those worms work sequentially through a bunch of /24
networks, starting with the one they are on and working outwards either
side. They all attempt to connect to port 80.

Now the question for me is: why is your IP stack sitting at SYN_RECV instead
of ESTABLISHED, CLOSE_WAIT or FIN_WAIT? Apache shouldn't be locking up - it
should just spit back the appropriate HTTP error (if there is one!) and then
ACK/ACK-FIN/FIN-ACK/RST the connection.

I suspect as it's an XTR and there were many things wrong with them that
there's either a kernel bug or Apache is broken. And it's not 'attacks',
strictly speaking. Have you looked in your Apache error logs?

Graeme



> ----------
> From: 	Jordan Lowe
> Reply To: 	cobalt-security@xxxxxxxxxxxxxxx
> Sent: 	Sunday, December 30, 2001 20:28 PM
> To: 	cobalt-security@xxxxxxxxxxxxxxx
> Subject: 	[cobalt-security] syn_flood dos attack
> 
>  
> I'm having a issue on an old raq XTR (yes, the ones that have been
> recalled) with multiple ip addresses attacking port 80 on the server.
>  
>  
> [root /etc]# netstat -n | grep SYN
> tcp        0      0 64.94.47.100:80         165.247.32.175:42938
> SYN_RECV
> tcp        0      0 64.94.47.101:80         165.247.32.175:49098
> SYN_RECV
> tcp        0      0 64.94.47.102:80         165.247.32.175:3868
> SYN_RECV
> tcp        0      0 64.94.47.103:80         165.247.32.175:65292
> SYN_RECV
> tcp        0      0 64.94.47.104:80         165.247.32.175:20280
> SYN_RECV
> tcp        0      0 64.94.47.105:80         165.247.32.175:21241
> SYN_RECV
> [SNIP]
>  
> Basically the attack goes all the way through each ip on the server
> (64.94.47.0/24) and locks up apache.
>  
> Every time I block the attacking ip address on the firewall, the attacker
> find another machine to attack from.
>  
> I know this is a firewall issue, but is there a way to stop this from
> happening on the server side?
>  
> The kernel version is 2.2.16C23, which I thought had stopped this attack
> type by timing out syn packets faster.  But- since they're hitting so may
> seperate ip addresses, maybe that has something to do with it?
>  
>  
> 
> Thanks,
> Jordan
>  
> -- 
>  
> Jordan Lowe
> Server Central Network
> (888) 875-4804 x255
>  
>  
>

Prev by Date: [cobalt-security] syn_flood dos attack
Next by Date: [cobalt-security] (no subject)
Previous by thread: [cobalt-security] warning: can't get client address: Socket operation on non-socket
Next by thread: [cobalt-security] Re: syn_flood dos attack (Nico Meijer)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index