[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RAQ2 SYN flood attack
- Subject: Re: [cobalt-users] RAQ2 SYN flood attack
- From: flash22@xxxxxxx
- Date: Tue Apr 10 21:36:33 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Tue, 10 Apr 2001, Jay Summers wrote:
> Hey everyone,
>
> I just wanted to let everyone know that yesterday I caught someone doing an
> SYN flood attack on our server. I happened to notice it in the hourly
>
> My question is, are these SYN floods a big problem or are they more of a
> nuisance DoS attack? Any guru's out there have any input?
>
> Are the older RAQ2 kernels open to this kind of attack? My RAQ2 kernel is
> listed as 2.0.34.
The 2.0.34 kernel has the basic SYN flood patches, and more or less
recovers in a minute or so, lack of iptables support makes it hard to do
anything else tho....
This is more than an annoyance, at the rate you are getting flooded from
your log snippet, it's close to saturating the machine, remember, SYN is
the first step in opening a connection, it counts towards the conenction
limits, a hard SYN flood will prevent anyone else form connecting until
the open attempts time out. The anti-flood patches basiclly force the
kernel to accellerate the timeouts an the assumption that most of the
requests are bogus, but this also drops a few legit connection attempts..
The bact all of those are on port 80 tells me it's an intentional attempt
to DOS your server, rather than some kind of scan....
The large number of ip addresses is interesting, i wonder if this is
really udp from a single address....if so a ip rule might help a
little....
gsh