[GLLUG] Getting hammered with connections to port 80

Tim Woodall t at woodall.me.uk
Sat Sep 29 20:56:38 UTC 2018 

On Sat, 29 Sep 2018, Tim Woodall via GLLUG wrote:

> On Sat, 29 Sep 2018, Alistair Mann via GLLUG wrote:
>
>> On 29/09/18 11:31, Tim Woodall via GLLUG wrote:
>>> Does anyone know what these guys are trying to do?
>>> 
>>> These are the connections to my webserver (port 80) in the last five
>>> hours. Almost all of them did not actually make a get request.
>> Did you just get a new IP address? Sometimes I see traffic intended for the 
>> previous holder.
>> 
>> That there is no GET brings Port Knocking to mind.
>> 
> But it doesn't make sense that the same host would repeat this over and
> over again. There's no RST so I assume this is deliberate. If it was a
> ddos amplification then I'd expect to see a RST (unless, of course, the
> DDoSed hosts are dropping these phantom SYN+ACK packets somewhere)
>
> Is there a kernel setting to turn off sending followup SYN+ACK if
> there's no ACK?
>

Hurrah, I've managed to write some IPTABLES rules to block this stuff:

#Don't do this if you never want to unblock someone that gets added
     ${IPTABLES} -t filter -A FORWARD -p tcp -i isp --tcp-flags ACK ACK -m recent --name EVILSYN2 --remove

#If the source is in the EVILSYN2 list then drop this packet
     ${IPTABLES} -t filter -A FORWARD -m recent --name EVILSYN2 --update -j DROP

#If the packet is in the EVILSYN1 list then test for EVILSYN
     ${IPTABLES} -t filter -A FORWARD -p tcp -i isp --syn -m recent --name EVILSYN1 --update -j EVILSYN

#All syn packets get added to EVILSYN1
     ${IPTABLES} -t filter -A FORWARD -p tcp -i isp --syn -m recent --name EVILSYN1 --set

#All ack packets reset the EVILSYN1 flag
     ${IPTABLES} -t filter -A FORWARD -p tcp -i isp --tcp-flags ACK ACK -m recent --name EVILSYN1 --remove

#Return if we're below the hashlimit
#This stops "good" connections getting added when we've got some packet loss
     ${IPTABLES} -t filter \
                 -A EVILSYN \
                 -m hashlimit \
                 --hashlimit-name SYNLIMIT \
                 --hashlimit-mode srcip \
                 --hashlimit-srcmask 32 \
                 --hashlimit-upto 1/hour \
                 --hashlimit-burst 2 \
                 --hashlimit-htable-expire 30000 \
                 -j RETURN

     ${IPTABLES} -t filter \
                 -A EVILSYN \
                 -m limit \
                 --limit ${LOG_FLOOD} \
                 -j LOG \
                 --log-level warning \
                 --log-prefix "ADDED TO EVILSYN "

#Add the packet to the EVILSYN list and drop it
     ${IPTABLES} -t filter \
                 -A EVILSYN \
                 -m recent \
                 --name EVILSYN2 \
                 --set \
                 -j LDROP



You want to be a little cautious if you try to use these rules yourself.
They're a quick hack which is reasonably safe for me where no packets
are forwarded from the internet that cannot do a 3 way TCP handshake but
were a service to go down and the target to start returning RST packets,
the source would get added to EVILSYN2 very quickly and EVERYTHING will
be blocked from that host.

You might be able to unblock it with an ACK packet that is not preceeded
by a SYN.

Sep 29 21:44:58 heisenberg vmunix: [277419.617403] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.180.253 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=22739 DF PROTO=TCP SPT=36461 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:45:38 heisenberg vmunix: [277459.984757] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.180.254 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=6574 DF PROTO=TCP SPT=29154 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:46:17 heisenberg vmunix: [277498.416928] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.180.252 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=22634 DF PROTO=TCP SPT=32472 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:46:51 heisenberg vmunix: [277532.285307] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=110.173.56.3 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=46619 DF PROTO=TCP SPT=26867 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:47:30 heisenberg vmunix: [277571.102925] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=203.205.158.12 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=55329 DF PROTO=TCP SPT=22584 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:48:45 heisenberg vmunix: [277646.561032] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.154.194 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=15972 DF PROTO=TCP SPT=23051 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:50:02 heisenberg vmunix: [277723.140143] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.154.195 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=36904 DF PROTO=TCP SPT=4692 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:50:38 heisenberg vmunix: [277759.294448] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.154.192 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=43747 DF PROTO=TCP SPT=15276 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:51:53 heisenberg vmunix: [277834.852117] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=149.56.154.193 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=27213 DF PROTO=TCP SPT=31658 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 
Sep 29 21:52:34 heisenberg vmunix: [277875.338050] ADDED TO EVILSYN IN=isp OUT=eth0 MAC= SRC=167.114.41.150 DST=192.168.100.100 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=55494 DF PROTO=TCP SPT=38589 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Tim.

More information about the GLLUG mailing list