My Linode and another server (different host, different location) have been experiencing what appears to be a SYNFLOOD attack this afternoon. I am seeing entries like this in netstat -nt:
Code:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ----------------- 86.171.83.244:54380 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:128 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:32772 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:32871 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:176 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:44 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:8303 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:144 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:25 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:140 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:57382 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:38888 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:24650 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:72 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:4111 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:41336 SYN_RECV
tcp 0 0 ----------------- 86.171.83.244:114 SYN_RECV
They do this for awhile with anywhere from 5 to 50 connections, and then suddenly it jumps to what I can only assume are tens or hundreds of thousands all at once. I did "netstat -nt > netstat.txt" and the resulting file was 335MB.
So far the addresses that have been used are:
81.151.10.149
81.157.27.35
81.157.120.178
86.174.135.10
81.157.27.35
86.130.29.153
81.157.29.153
81.157.121.196
86.130.232.208
81.157.121.84
86.167.204.202
81.159.53.103
86.140.65.99
86.130.29.34
31.52.128.129
31.54.93.215
81.159.55.88
86.171.83.244
I have CSF/LFD installed with syn flood enabled (1) and the rate set to 2/s with burst of 10. I have portflood set to 80;tcp;5;5 and connlimit set to 80;30. Nothing seems to be stopping these attacks. There are no entries at all for these IPs in my /var/log/messages, though other IPs are getting blocked per the firewall rules, and if I hammer my web server with requests from my smartphone, sure enough I get "SYN FLOOD blocked" in /var/log/messages. It's like CSF is immune to these specific IPs I'm being attacked from. I've checked, and they are not listed in my csf.allow file.
I tried enabling syn cookies by uncommenting "net.ipv4.tcp_syncookies=1" in /etc/sysctl.conf and restarting networking, but that doesn't seem to have had any effect.
The only way I've been able to block these is to put in rules to block 81.0.0.0/8, 86.0.0.0/8, etc. (a bit ham-fisted, but it's working for now). When I remove those rules, invariably within a few minutes another attack starts from a new IP address.
I wonder if anyone can help me figure out why I'm not able to stop this activity, or help me to understand what is going on.
FAQ
Search
Members
Register
Login [ Anonymous ]
