[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] (no subject)

Grame,

No, we've looked into that.  We can see the .../cmd.exe/../ for those other
types of "attacks" in the web logs.  When we get hit by this attack, which
happens every few minutes or few hours for about 10-20 minutes, nothing
unusual shows up in the web logs.  We have two screens monitoring the access
and error logs, plus one which repeats the netstat command to see if we've
been hit and restarts apache when it happens.  Its definately an XTR thing
its only affecting a few that are in the ip range...  Rather annoying, I'd
like to try a kernel upgrade with some built in firewall support, but I'd
rather not mess with the XTR's as flaky as they are.  We can see attempts
for the same type of attack on more ip's (watching through the routers) but
the other servers don't even seem to see it or be affected in any way.

Thanks,
Jordan




Could it be... that the remote servers are infected with Nimda (or similar)?

All the variants of those worms work sequentially through a bunch of /24
networks, starting with the one they are on and working outwards either
side. They all attempt to connect to port 80.

Now the question for me is: why is your IP stack sitting at SYN_RECV instead
of ESTABLISHED, CLOSE_WAIT or FIN_WAIT? Apache shouldn't be locking up - it
should just spit back the appropriate HTTP error (if there is one!) and then
ACK/ACK-FIN/FIN-ACK/RST the connection.

I suspect as it's an XTR and there were many things wrong with them that
there's either a kernel bug or Apache is broken. And it's not 'attacks',
strictly speaking. Have you looked in your Apache error logs?

Graeme



> ----------
> From: 	Jordan Lowe
> Reply To: 	cobalt-security@xxxxxxxxxxxxxxx
> Sent: 	Sunday, December 30, 2001 20:28 PM
> To: 	cobalt-security@xxxxxxxxxxxxxxx
> Subject: 	[cobalt-security] syn_flood dos attack
>
>
> I'm having a issue on an old raq XTR (yes, the ones that have been
> recalled) with multiple ip addresses attacking port 80 on the server.
>
>
> [root /etc]# netstat -n | grep SYN
> tcp        0      0 64.94.47.100:80         165.247.32.175:42938
> SYN_RECV
> tcp        0      0 64.94.47.101:80         165.247.32.175:49098
> SYN_RECV
> tcp        0      0 64.94.47.102:80         165.247.32.175:3868
> SYN_RECV
> tcp        0      0 64.94.47.103:80         165.247.32.175:65292
> SYN_RECV
> tcp        0      0 64.94.47.104:80         165.247.32.175:20280
> SYN_RECV
> tcp        0      0 64.94.47.105:80         165.247.32.175:21241
> SYN_RECV
> [SNIP]
>
> Basically the attack goes all the way through each ip on the server
> (64.94.47.0/24) and locks up apache.
>
> Every time I block the attacking ip address on the firewall, the attacker
> find another machine to attack from.
>
> I know this is a firewall issue, but is there a way to stop this from
> happening on the server side?
>
> The kernel version is 2.2.16C23, which I thought had stopped this attack
> type by timing out syn packets faster.  But- since they're hitting so may
> seperate ip addresses, maybe that has something to do with it?
>
>
>
> Thanks,
> Jordan
>
> --
>
> Jordan Lowe
> Server Central Network
> (888) 875-4804 x255
>
>
>