[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] SYN attacks killing me! Please HELP!
- Subject: Re: [cobalt-security] SYN attacks killing me! Please HELP!
- From: David Lucas <david@xxxxxxxxxxxxxxxx>
- Date: Mon, 22 Jul 2002 18:17:37 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 05:58 PM 7/22/2002, you wrote:
Hi there,
I own a Cobalt RaQ4 (as well as a RaQ3, and this problem applies to both)
with near 150 customers in it, a few weeks ago the server suddenly stopped
responding, first once a day, but now it's a nightmare.. sometimes it
stays for days ok, then some day.. we start receiving SYN_RECV packets and
the server dies.
Changed from raq3 to raq4 and today the history repeated again.
I've used tcp_syn_cookies, I have tried lots of ipchains firewalls, and
nothing seems to help. Oh, adnd yes, I've installed until the latest
patch. The last thing I did was to create a script I run every 2 minutes
and detects SYN_RECV connections, if more than 15 are detected, then those
IPs are banned (ipchains) it has somehow stopped attacks, but it's not
perfect... somehow the bastard do the nasty in those 2 minutes and kill my
server.
Reading in the internet I found that it's a problem affecting old 2.2.x
kernels (x<17 I think).. if you use a firewall and also set tcp_syncookies
to 1 somehow you are in danger. My concern is that I can NOT wait any
longer for cobalt to release a new kernel, I've waited like 2 months and
no new updates regarding kernels. Is there ANY workaround I can do in
order to avoid syn attacks? My clients are very upset with me because of
the constant failures and I have no life.. saturday night, sundays early
in the morning, friday afternoon, at any time my system has to be rebooted...
Please, help.
Ernesto
PS: My system has like 20 IP addresses I can reduce them, but not too
much, I think that is also helping the attacker to distribute the syn dos.
Does not seem to be the kernel. I mean not the Cobalt kernel. From what I
have read, the fix to the kernel from Apache.org stopped the people from
taking control of your server. It does not stop what you are getting. The
Cobalt kernel has incorporated the changes to the current kernel. If you
did the update you have the latest fix by Apache.org.
Read this
http://www.extremetech.com/article2/0,3973,302776,00.asp
It appears the fix to apache just keeps the person from getting root
access, not from doing the DOS.