[Gllug] Under attack from Russia
Alain Williams
addw at phcomp.co.uk
Wed Aug 26 23:11:03 UTC 2009
My web server (bytemark VM) is exeriencing a SYN flood attack from a site in Russia.
This is where they send the TCP SYN packet but then ignore the reply from my machine.
The packets all come from 193.169.4.X & 193.169.5.X, where X is incremented 0..255.
There is nothing in the Apache log files for this.
At any one time there are 127 +- 3 part open sockets (SYN_RECV) to my port 80 from these reprobates.
I noticed this about 6 hours ago, no idea when it started. Still happening.
It does not seem to cause problems, but I suspect that it would if they increased the attack rate 10 fold (or something).
This is easy to kill with a one line addition to my firewall, I have done that and am monitoring
it to see if they stop -- now that I am no longer sending SYN_ACKs back to them.
My /proc/sys/net/ipv4/tcp_max_syn_backlog is set to 1024.
/proc/sys/net/ipv4/tcp_syncookies is 0 - setting this to 1 didn't appear to do much
(I took the DROP rule out of the firewall and the count of 1/2 open TCP connections rose,
so I put it back in)
Questions:
1) I noticed this by chance (I don't often run 'netstat -tpn') but what I would like to know what
I could, or should, do to detect and mitigate any problems that this might cause me ?
2) What are they gaining by this ?
Here is a bit of TCPDUMP output
23:31:10.110611 IP (tos 0x0, ttl 247, id 46976, offset 0, flags [none], proto 6, length: 40) 193.169.4.254.41247 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 54240
23:31:10.473547 IP (tos 0x0, ttl 247, id 46977, offset 0, flags [none], proto 6, length: 40) 193.169.4.255.19719 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 48865
23:31:10.840809 IP (tos 0x0, ttl 247, id 46978, offset 0, flags [none], proto 6, length: 40) 193.169.5.0.890 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 62311
23:31:11.204305 IP (tos 0x0, ttl 247, id 46979, offset 0, flags [none], proto 6, length: 40) 193.169.5.1.42820 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 36329
23:31:11.568609 IP (tos 0x0, ttl 247, id 46980, offset 0, flags [none], proto 6, length: 40) 193.169.5.2.44369 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 34220
23:31:11.931002 IP (tos 0x0, ttl 247, id 46981, offset 0, flags [none], proto 6, length: 40) 193.169.5.3.23780 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 3078
23:31:12.292378 IP (tos 0x0, ttl 247, id 46982, offset 0, flags [none], proto 6, length: 40) 193.169.5.4.46109 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 33013
23:31:12.638030 IP (tos 0x0, ttl 247, id 46983, offset 0, flags [none], proto 6, length: 40) 193.169.5.5.30780 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 41200
23:31:12.991150 IP (tos 0x0, ttl 247, id 46984, offset 0, flags [none], proto 6, length: 40) 193.169.5.6.54134 > 80.68.91.63.http: S [tcp sum ok] 0:0(0) win 1141
I looked at:
http://www.securityfocus.com/infocus/1729
TIA
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list