Hi Jordan,
I'm having a issue on an old raq XTR (yes, the ones that have been recalled) with multiple ip addresses attacking port 80 on the server.[root /etc]# netstat -n | grep SYN tcp 0 0 64.94.47.100:80 165.247.32.175:42938 SYN_RECV tcp 0 0 64.94.47.101:80 165.247.32.175:49098 SYN_RECV tcp 0 0 64.94.47.102:80 165.247.32.175:3868 SYN_RECV tcp 0 0 64.94.47.103:80 165.247.32.175:65292 SYN_RECV tcp 0 0 64.94.47.104:80 165.247.32.175:20280 SYN_RECV tcp 0 0 64.94.47.105:80 165.247.32.175:21241 SYN_RECV [SNIP]
Are there *many* more?
Basically the attack goes all the way through each ip on the server (64.94.47.0/24) and locks up apache.
Hmmm... This has happened to a machine (non-RaQ) of mine aswell. All IPs belong to broadband ISPs in either USA or Canada and the IPs are unreachable (which would indeed indicate a SYN flood with spoofed IPs). On this machine, the number of connections in SYN_RECV state are hardly ever more than 20-30, so I can't really call it a 'flood'.
I have a limited number of IPs on that machine and apache keeps running perfectly.
Every time I block the attacking ip address on the firewall, the attacker find another machine to attack from.
Indeed.
I know this is a firewall issue, but is there a way to stop this from happening on the server side?
Hardly a firewall issue, IIRC; it can be fixed within the kernel. Try this as root:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies But check the path first; this is from memory. If it works, add it to rc.local. Good luck... Nico