[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] SYN flooding

Subject: Re: [cobalt-developers] SYN flooding
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Tue Mar 26 09:28:49 2002
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

> Date: Tue, 26 Mar 2002 12:37:38 -0800
> From: William L. Thomson Jr. <support@xxxxxxxxxxxxxxxxxxxx>

(snipping throughout)


> www.obsidian-studios.com:www  66-182-46-206.atgi:2781 SYN_RECV
> 
>  From time to time a particular IP address will have multiple lines like 
> the one above with multiple connections to each IP site on my server.

> I have begun denying service to certain IP's that look like they are 
> abusing the server. So far I have denied all access from 6 IP addresses.

Bad idea.


> Although I am not to sure if that is what I should have done or not.

No.


> The kernel seems to have tcp_syncookies enabled, which I think is 
> correct, I can turn it off if it will help. But it is one by default, I 
> never turned it on.

IIRC, it is not on by default... unless enabled in init script,
which cat sounds like it was.

	cat /proc/sys/net/ipv4/tcp_syncookies

to see for sure.


> Anyway I just want to make sure that I am addressing this
> situation properly and not blocking people out of the server
> who are not trying to abuse it.

You might be blocking innocents.  How do you know those packets
aren't spoofed?

Let's say someone wants to be really nasty.  They send spoofed
SYN packets at you that appear to come from DNS root servers.
You block those IPs.  No more outside DNS requests for you.

DO NOT block packets unless you know the ramifications.

There's always TCP intercept on a border router.


> Is this something I need to be concerned with, and what should
> I do  about it? It seems that after a period of time even IP
> that have multiple SYN_RECV connections end up disappearing. I
> am starting to second guess my decision to block out those
> IP's.

Be concerned if it interferes with service.  Yes, they should
time out and eventually drop.

If you want to see a *ton* of SYN_RECV sockets, run nmap with the
-sS option.

Paranoia is good, but in this case you have an itchy trigger
finger.


> Any comments advice. Either is greatly appreciated.

HTH


> William L. Thomson Jr.


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

Follow-Ups:
- Re: [cobalt-developers] SYN flooding
  - From: William L. Thomson Jr.

References:
- [cobalt-developers] SYN flooding
  - From: William L. Thomson Jr.

Prev by Date: Re: [cobalt-developers] OS-discussion
Next by Date: Re: [cobalt-developers] OS-discussion
Previous by thread: Re: [cobalt-developers] SYN flooding
Next by thread: Re: [cobalt-developers] SYN flooding

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index