[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] SYN flooding
- Subject: Re: [cobalt-developers] SYN flooding
- From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
- Date: Tue Mar 26 14:07:44 2002
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
> Date: Tue, 26 Mar 2002 21:10:23 -0800
> From: William L. Thomson Jr. <wlt@xxxxxxxxxxxxxxxxxxxx>
> We used to be colo'ed, but now we have a couple SDSL lines and a pair of
> Netopia routers. I have been considering getting a Cisco PIX or
> something to inspect packets and etc. that could most likely assist in
> this situation. I will have to look into that. At the moment due to the
A PIX would work. As would a <insert favorite flavor of> *ix
box. I rather like the latter. But, then, I like tinkering.
> limited space on the Netopia routers I am blocking them out from the XTR
> using ipchains on the XTR.
>
> I have not had a problem on any other machines, but this XTR is the only
> one that runs a web server publicly.
Okay.
> No I am running NAT or PAT to be specific. So they are not local
> machines, definitely remote.
Now I'm confused. These packets are being sent to 192.168.1.x on
the local host... were those IPs changed, or how are those bound?
Something is sending to your MAC address. How does it know to
send 192.168.1.x to you?
A. You used 192.168.1.x for public view, and that's not the real
netblock used by the machine
B. Your router translates public <--> 192.168.1.x
C. It has to be something that can directly specify the MAC
address, which means it CANNOT cross a router, because that
subnet will NOT be routed by any competent provider.
> > If you are running a firewall, I almost have to wonder... might
> > there be a problem with something such as ECN blocking legitimate
> > requests? Might the heavy hitters be proxy caches?
>
> I do not think so, but I may have to look into that.
I, too, rather doubt it, but it's possible. It could be that the
other end has a firewall that gags on ECN.
> Yes, and it is not normal web traffic because my apache logs do not show
The three-way handshake was never completed. I don't believe
Apache sees the connection until socket is CONNECTED. I'd need
to check this to be absolutely positive, but I'm pretty sure.
> the IP's. If someone is using port 854 on the other end, then maybe they
> have root access, and know what they are doing?
Either that or some service running as root is really pounding
away. I've noticed at home that Squid will send several requests
when Apache bombs... I do a fair amount of hacking Apache, and do
slip in some bad code (read: segfaults) now and then... Squid
keeps trying, and I end up with a handful of console messages
complaining that httpd bombed.
> Scratch that, after rescanning, all responded and I have records of the scans.
>
> Each is not your average user. Each has some sort of firewall.
I'll take your word. So far it looks like you've been quite
thorough.
> It sure seems like it. From a variety of IP's so I am not to sure if
> it's one person using one of his platoons one me.
Also possible.
> Some of the more recent ones have had DNS records. One was
> cruel.and.passively.rotted.org 65.116.181.236
Interesting. Sounds a bit odd for a coincidence.
> I am still a little skeptical, but at least I know I am not blocking out
> the average surfer with broadband and a mouse. :)
:-)
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots. Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.