[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] Re: SYN flooding

Subject: [cobalt-developers] Re: SYN flooding
From: "William L. Thomson Jr." <support@xxxxxxxxxxxxxxxxxxxx>
Date: Tue Mar 26 11:30:01 2002
Organization: Obsidian-Studios Inc.
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

Here is a clear example of what I am up against

tcp 0 0 192.168.1.3:80 51.189.12.20:44005SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:3241SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:45024SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:45581SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:35868SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:13274SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:61994SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:12884SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:27740SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:42770SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:42194SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:19983SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:65348SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:15570SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:31954SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:20130SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:10930SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:5062SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:63390SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:2011SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:11260SYN_RECVtcp 0 0 192.168.1.1:80 51.189.12.20:38595SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:62897SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:30273SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:43825SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:7057SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:41971SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:41182SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:10025SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:16376SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:37065SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:57915SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:64800SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:58396SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:854SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:7538SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:46706SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:63466SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:46577SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:26128SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:7494SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:23729SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:60079SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:9427SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:13672SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:22563SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:26838SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:50520SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:41887SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:53727SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:59903SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:11863SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:48149SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:58911SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:29155SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:52098SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:60030SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:1246SYN_RECVtcp 0 0 192.168.1.3:80 151.189.12.20:35726SYN_RECVtcp 0 0 192.168.1.1:80 151.189.12.20:25560SYN_RECV


I am going to block this guy and figure it out later.

William L. Thomson Jr. wrote:

I seem to have allot of entries in my dmesg log like the following

possible SYN flooding on port 80. Sending cookies.

Now using netstat I saw some connections similar to

www.obsidian-studios.com:www  66-182-46-206.atgi:2781 SYN_RECV
From time to time a particular IP address will have multiple lines likethe one above with multiple connections to each IP site on my server.
I have begun denying service to certain IP's that look like they areabusing the server. So far I have denied all access from 6 IP addresses.
Although I am not to sure if that is what I should have done or not.
The kernel seems to have tcp_syncookies enabled, which I think iscorrect, I can turn it off if it will help. But it is one by default, Inever turned it on.
Anyway I just want to make sure that I am addressing this situationproperly and not blocking people out of the server who are not trying toabuse it.
Is this something I need to be concerned with, and what should I doabout it? It seems that after a period of time even IP that havemultiple SYN_RECV connections end up disappearing. I am starting tosecond guess my decision to block out those IP's.
Any comments advice. Either is greatly appreciated.



--
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 	707.766.9509

Fax707.766.8989

http://www.obsidian-studios.com

References:
- [cobalt-developers] SYN flooding
  - From: William L. Thomson Jr.

Prev by Date: Re: [cobalt-developers] SYN flooding
Next by Date: [cobalt-developers] If the latest Webalizer won't install, what can I do?
Previous by thread: Re: [cobalt-developers] SYN flooding
Next by thread: Re: [cobalt-developers] SYN flooding

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index