[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] SYN flooding
- Subject: Re: [cobalt-developers] SYN flooding
- From: "William L. Thomson Jr." <wlt@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue Mar 26 11:21:32 2002
- Organization: Obsidian-Studios Inc.
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
E.B. Dreger wrote:
IIRC, it is not on by default... unless enabled in init script,
which cat sounds like it was.
cat /proc/sys/net/ipv4/tcp_syncookies
to see for sure.
I did that prior to posting and it was 1 which is on.
You might be blocking innocents. How do you know those packets
aren't spoofed?
I do not know. Any recommendations on finding out?
Let's say someone wants to be really nasty. They send spoofed
SYN packets at you that appear to come from DNS root servers.
You block those IPs. No more outside DNS requests for you.
I did make sure the IP were nothing like that. They seem to be home DSL
users, one or two cable modems, and a couple others.
DO NOT block packets unless you know the ramifications.
There's always TCP intercept on a border router.
What do you mean by TCP intercept on a border router?
Be concerned if it interferes with service. Yes, they should
time out and eventually drop.
What concerns me most is the logs. I would assume it would not be
logging what it is without receiving some sort of impact. Hard to tell
if it has effected any services. Hasn't seemed to but I am hoping to
address it before it becomes a problem.
If you want to see a *ton* of SYN_RECV sockets, run nmap with the
-sS option.
Paranoia is good, but in this case you have an itchy trigger
finger.
I did nmap each IP before blocking them. To begin with I had to disable
pinging on the few that I could probe. The ones I were able to probe
showed ports filtered and some abnormal ones open. Also none had DNS for
the IP's beyond the ISP DNS, like you see on DSL and cable modem lines.
A couple did not respond to the probe at all and my probes were timing
out. So I am pretty sure these were not your average web surfers. Each
had some sort of fire walling/filtering on open ports.
I have seen allot more SYN_RECV sockets than the six I have blocked. But
each of the six that I blocked had many simultaneous sockets active that
did not seem to time-out in a reasonable time.
When this first came to my attention, I simply restarted the web server
which dropped the socket connections. Almost immediately after a few had
timed out and Apache was restarted several connections appeared.
I also did ARIN lookups on a few IP addresses that did not appear to be
owned by an ISP. If it became a problem I had a few companies who I could
contact and let them know one of their IP addresses was attacking me.
Still my biggest concern is the logs, since I would assume it would only
log a valid SYN attack?
Although I may be a little trigger happy. I do not think so though, I
tried to take my time and be as thorough as possible.
--
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax
707.766.8989
http://www.obsidian-studios.com