Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible SYN Flooding?!?!

Discussion in 'General Discussion' started by avio, Feb 8, 2004.

  1. avio

    avio Well-Known Member

    Joined:
    Oct 6, 2003
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    156
    I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

    - SIM Log:
    [02/08/04 10:30:00]: NETWORK is online.
    [02/08/04 10:35:00]: LOAD 0.76 (status good)
    [02/08/04 10:35:00]: NETWORK is online.
    [02/08/04 10:40:00]: LOAD 0.47 (status good)
    [02/08/04 10:40:00]: NETWORK is online.
    [02/08/04 10:45:00]: LOAD 0.38 (status good)
    [02/08/04 10:45:00]: NETWORK is online.
    [02/08/04 10:50:01]: LOAD 0.34 (status good)
    [02/08/04 10:50:01]: NETWORK is online.
    [02/08/04 10:55:58]: LOAD 72.52 (status critical)
    [02/08/04 10:55:58]: NETWORK is online.
    [02/08/04 11:01:11]: LOAD 127.00 (status critical)
    [02/08/04 11:01:11]: NETWORK is online.
    [02/08/04 11:06:22]: LOAD 139.37 (status critical)
    [02/08/04 11:06:22]: NETWORK is online.

    - System Log:
    Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
    Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
    Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
    Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
    Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
    Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
    Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
    Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

    Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

    "LOAD 139.37"

    Someone help so I can prevent this from the future...
     
    #1 avio, Feb 8, 2004
  2. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    166
    Someone is doing a DOS attack against a site on your server.
    In WHM goto Apache Status and look for any sites that has a huge amount of requests.
     
    #2 hostultra, Feb 8, 2004
  3. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Sydney, Australia
    Apache Patch?

    Surely there's a patch we could introduce that:

    - Activates itself when the load goes over 10 or a user-defined value
    - If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

    That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).
     
    #3 K_aneda, Feb 29, 2004
  4. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    166
    Install APF firewall and use the DOS module to drop connections that syn flood.
     
    #4 mr.wonderful, Feb 29, 2004
  5. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Sydney, Australia
    Suppose that's one possibility.
    Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

    I'm thinking any more than 50 a second should be dropped... any thoughts people?
     
    #5 K_aneda, Feb 29, 2004
  6. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?
     
    #6 myusername, Sep 29, 2004
  7. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    This Planet
    #7 anup123, Sep 29, 2004
  8. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Sydney, Australia
    bump.

    hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?
     
    #8 K_aneda, Sep 29, 2004
  9. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Rio de Janeiro - BRAZIL
    Execute the command:

    netstat -an |grep :80 | grep SYN_RECV | more

    And block the ips in your firewall (APF i guess)
     
    #9 Alexandre Duran, Jan 10, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - Possible Flooding
  1. electric

    Possible for end-user to see all their active mysql processes?

    electric, Sep 12, 2017, in forum: Database Discussions
    Replies:
    5
    Views:
    73
    cPanelMichael
    Sep 13, 2017
  2. electric

    Possible to select different PHP versions for subdomains and folders?

    electric, Sep 9, 2017, in forum: CloudLinux
    Replies:
    2
    Views:
    71
    cPanelMichael
    Sep 12, 2017
  3. electric

    Possible for end-user to see current processes?

    electric, Sep 5, 2017, in forum: CloudLinux
    Replies:
    1
    Views:
    56
    cPanelMichael
    Sep 6, 2017
  4. elis2

    Is merging partitions possible?

    elis2, Sep 3, 2017, in forum: General Discussion
    Replies:
    3
    Views:
    95
    24x7server
    Sep 6, 2017
  5. VMunich

    Is it possible to whitelist command/programs to be used by shell_exec?

    VMunich, Jul 3, 2017, in forum: Security
    Replies:
    4
    Views:
    156
    quizknows
    Jul 4, 2017

Share This Page