[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] SYN attacks killing me! Please HELP!
- Subject: Re: [cobalt-security] SYN attacks killing me! Please HELP!
- From: "Randy Russell" <rrussell@xxxxxxxxxxxxxx>
- Date: Mon, 22 Jul 2002 16:11:37 -0700
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I haven't any problem like this but just in case, I installed the SonicWall
Pro and plug all of the Cobalt Raqs on the DMZ port. It works great.
-Randy
----- Original Message -----
From: "Bradley Caricofe" <caricofe@xxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, July 22, 2002 4:06 PM
Subject: RE: [cobalt-security] SYN attacks killing me! Please HELP!
> > Hi there,
> >
> > I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to
> > both) with near 150 customers in it, a few weeks ago the server suddenly
> > stopped responding, first once a day, but now it's a nightmare..
> > sometimes it stays for days ok, then some day.. we start receiving
> > SYN_RECV packets and the server dies.
> >
> > Changed from raq3 to raq4 and today the history repeated again.
> >
> > I've used tcp_syn_cookies, I have tried lots of ipchains firewalls, and
> > nothing seems to help. Oh, adnd yes, I've installed until the latest
> > patch. The last thing I did was to create a script I run every 2 minutes
> > and detects SYN_RECV connections, if more than 15 are detected, then
> > those IPs are banned (ipchains) it has somehow stopped attacks, but it's
> > not perfect... somehow the bastard do the nasty in those 2 minutes and
> > kill my server.
> >
> > Reading in the internet I found that it's a problem affecting old 2.2.x
> > kernels (x<17 I think).. if you use a firewall and also set
> > tcp_syncookies to 1 somehow you are in danger. My concern is that I can
> > NOT wait any longer for cobalt to release a new kernel, I've waited like
> > 2 months and no new updates regarding kernels. Is there ANY workaround I
> > can do in order to avoid syn attacks? My clients are very upset with me
> > because of the constant failures and I have no life.. saturday night,
> > sundays early in the morning, friday afternoon, at any time my system
> > has to be rebooted...
> >
> > Please, help.
> >
> > Ernesto
>
> Ernesto, we have a couple of RaQ3's and have been having similar problems
> with the systems going down intermittently. One server in particular is
> being used to power a single somewhat high-profile website and recently
for
> about a week straight it was going down every day. We scoured the
logfiles
> and did find unusual activity but nothing that explained the crashes. We
> noticed a lot of unauthorized attempts at accessing the admin server and
we
> applied some firewall rules to port 81, the system hasn't crashed since.
> Sorry I can't give a more technical explanation, we aren't even sure if we
> fixed the issue with the new rules or if we're just lucky.
>
> -Brad
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
>