[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RAQ2 SYN flood attack
- Subject: Re: [cobalt-users] RAQ2 SYN flood attack
- From: Diana Brake <diana@xxxxxxxxxxxxx>
- Date: Tue Apr 10 07:19:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 05:31 PM 4/10/01, Jay wrote:
Hey everyone,
I just wanted to let everyone know that yesterday I caught someone doing an
SYN flood attack on our server. I happened to notice it in the hourly
logcheck email. I got a hold of our colo provider and they took it off line
for a few minutes. That apparently stopped the attacker. Unfortunately he
probably moved on to attack someone else.
My question is, are these SYN floods a big problem or are they more of a
nuisance DoS attack? Any guru's out there have any input?
Are the older RAQ2 kernels open to this kind of attack? My RAQ2 kernel is
listed as 2.0.34.
I've included some of my logs for the benefit of others on the list. Maybe
it will help you spot any future trouble.
--
TIA,
jay
=-=-=-=-=-=-=-=
Apr 9 13:01:19 ns1 kernel: Warning: possible SYN flood from 24.4.254.129 on
207.228.240.126:80. Sending cookies.
<snippage>
Hi Jay,
I have a RaQ2 also and I see these regularly. I've not seen one in my logs
though that show so many coming through from multiple IPs in quick succession.
Here is a URL with some info about SYN floods and yes, I believe our RaQ2
kernels are capable of throwing the cookies back as your logs showed.
http://www.networkice.com/Advice/Exploits/TCP/SYN_flood/default.htm
My colo provider has their router set up to detect these so that may very
well be why I only see one instance of a SYN flood and nothing more. Nice
to have someone watching the pass as the wagons go through..:)
Maybe your colo provider will be willing to set this protection in front of
you too.
see ya,
Diana
Crest Communications, Inc. diana@xxxxxxxxxxxxx
Beautiful Sunny Florida http://crestcommunications.com/
352-495-9359, 425-732-9785 fax