[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] syn_flood dos attack
- Subject: Re: [cobalt-security] syn_flood dos attack
- From: "cronus" <cronus@xxxxxx>
- Date: Mon, 31 Dec 2001 16:48:50 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
The main problem with a genuine syn flood is that the attackers can
very simply spoof the source IP address on the attacking packets.
Because the attackers only sends a SYN packet he/she doesn't need
to receive any ACK packets, allowing him to randomly choose a source
IP address.
----- Original Message -----
From: Jordan Lowe <jordan@xxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: 30 December 2001 20:28
Subject: [cobalt-security] syn_flood dos attack
I'm having a issue on an old raq XTR (yes, the ones that have been recalled) with multiple ip addresses attacking port
80 on the server.
[root /etc]# netstat -n | grep SYN
tcp 0 0 64.94.47.100:80 165.247.32.175:42938 SYN_RECV
tcp 0 0 64.94.47.101:80 165.247.32.175:49098 SYN_RECV
tcp 0 0 64.94.47.102:80 165.247.32.175:3868 SYN_RECV
tcp 0 0 64.94.47.103:80 165.247.32.175:65292 SYN_RECV
tcp 0 0 64.94.47.104:80 165.247.32.175:20280 SYN_RECV
tcp 0 0 64.94.47.105:80 165.247.32.175:21241 SYN_RECV
[SNIP]
Basically the attack goes all the way through each ip on the server (64.94.47.0/24) and locks up apache.
Every time I block the attacking ip address on the firewall, the attacker find another machine to attack from.
I know this is a firewall issue, but is there a way to stop this from happening on the server side?
The kernel version is 2.2.16C23, which I thought had stopped this attack type by timing out syn packets faster. But-
since they're hitting so may seperate ip addresses, maybe that has something to do with it?
Thanks,
Jordan
--
Jordan Lowe
Server Central Network
(888) 875-4804 x255