[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: syn_flood dos attack (Nico Meijer)
- Subject: [cobalt-security] Re: syn_flood dos attack (Nico Meijer)
- From: "Jordan Lowe" <jordan@xxxxxxxxxxxxxxxxx>
- Date: Tue, 1 Jan 2002 15:31:01 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Well, I tried using the iptables stuff- (echo 1 >
/proc/sys/net/ipv4/tcp_syncookies), and I still see the syn stuff, but I
think its working. Apache hasn't crashed yet, which is great. Thanks Nico,
I appreciate the info.
Thanks,
Jordan
--
Jordan Lowe
Server Central Network
(888) 875-4804 x255
Date: Tue, 01 Jan 2002 13:29:54 +0100
To: cobalt-security@xxxxxxxxxxxxxxx
From: Nico Meijer <nico.meijer@xxxxxxxxx>
Subject: Re: [cobalt-security] syn_flood dos attack
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Hi Jordan,
>I'm having a issue on an old raq XTR (yes, the ones that have been
>recalled) with multiple ip addresses attacking port 80 on the server.
>
>
>[root /etc]# netstat -n | grep SYN
>tcp 0 0 64.94.47.100:80 165.247.32.175:42938
SYN_RECV
>tcp 0 0 64.94.47.101:80 165.247.32.175:49098
SYN_RECV
>tcp 0 0 64.94.47.102:80 165.247.32.175:3868
SYN_RECV
>tcp 0 0 64.94.47.103:80 165.247.32.175:65292
SYN_RECV
>tcp 0 0 64.94.47.104:80 165.247.32.175:20280
SYN_RECV
>tcp 0 0 64.94.47.105:80 165.247.32.175:21241
SYN_RECV
>[SNIP]
Are there *many* more?
>Basically the attack goes all the way through each ip on the server
>(64.94.47.0/24) and locks up apache.
Hmmm... This has happened to a machine (non-RaQ) of mine aswell. All IPs
belong to broadband ISPs in either USA or Canada and the IPs are
unreachable (which would indeed indicate a SYN flood with spoofed IPs). On
this machine, the number of connections in SYN_RECV state are hardly ever
more than 20-30, so I can't really call it a 'flood'.
I have a limited number of IPs on that machine and apache keeps running
perfectly.
>Every time I block the attacking ip address on the firewall, the attacker
>find another machine to attack from.
Indeed.
>I know this is a firewall issue, but is there a way to stop this from
>happening on the server side?
Hardly a firewall issue, IIRC; it can be fixed within the kernel. Try this
as root:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
But check the path first; this is from memory. If it works, add it to
rc.local.
Good luck... Nico
--__--__--
Message: 2
Date: Tue, 1 Jan 2002 16:27:55 +0000
From: Nick Drage <nickd@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] syn_flood dos attack
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Tue, Jan 01, 2002 at 01:29:54PM +0100, Nico Meijer wrote:
> >I'm having a issue on an old raq XTR (yes, the ones that have been
> >recalled) with multiple ip addresses attacking port 80 on the server.
As has been pointed out elsewhere, do ensure that this is a genuine SYN
flood, rather than an annoyance.
If there isn't an absolute barrage of packets, it could be a broken
router, firewall or proxy server ( especially as its port 80 ) in the
way. The broken device is sending the SYN to you, you're replying with
an ACK, which at some point is then incorrectly dropped or misrouted on
the way back; so you get a kind of gentle SYN flood effect.
--
Nick Drage - Security Architecture - Demon Internet
"A lonely voice
Echoing through the wilderness
Request Timed Out"
--__--__--