[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] SYN attacks killing me! Please HELP!
- Subject: RE: [cobalt-security] SYN attacks killing me! Please HELP!
- From: Bradley Caricofe <caricofe@xxxxxxxxxxx>
- Date: Mon, 22 Jul 2002 19:06:57 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Hi there,
>
> I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to
> both) with near 150 customers in it, a few weeks ago the server suddenly
> stopped responding, first once a day, but now it's a nightmare..
> sometimes it stays for days ok, then some day.. we start receiving
> SYN_RECV packets and the server dies.
>
> Changed from raq3 to raq4 and today the history repeated again.
>
> I've used tcp_syn_cookies, I have tried lots of ipchains firewalls, and
> nothing seems to help. Oh, adnd yes, I've installed until the latest
> patch. The last thing I did was to create a script I run every 2 minutes
> and detects SYN_RECV connections, if more than 15 are detected, then
> those IPs are banned (ipchains) it has somehow stopped attacks, but it's
> not perfect... somehow the bastard do the nasty in those 2 minutes and
> kill my server.
>
> Reading in the internet I found that it's a problem affecting old 2.2.x
> kernels (x<17 I think).. if you use a firewall and also set
> tcp_syncookies to 1 somehow you are in danger. My concern is that I can
> NOT wait any longer for cobalt to release a new kernel, I've waited like
> 2 months and no new updates regarding kernels. Is there ANY workaround I
> can do in order to avoid syn attacks? My clients are very upset with me
> because of the constant failures and I have no life.. saturday night,
> sundays early in the morning, friday afternoon, at any time my system
> has to be rebooted...
>
> Please, help.
>
> Ernesto
Ernesto, we have a couple of RaQ3's and have been having similar problems
with the systems going down intermittently. One server in particular is
being used to power a single somewhat high-profile website and recently for
about a week straight it was going down every day. We scoured the logfiles
and did find unusual activity but nothing that explained the crashes. We
noticed a lot of unauthorized attempts at accessing the admin server and we
applied some firewall rules to port 81, the system hasn't crashed since.
Sorry I can't give a more technical explanation, we aren't even sure if we
fixed the issue with the new rules or if we're just lucky.
-Brad