Possible SYN Flooding?!?!

[avio]

I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

- SIM Log:
[02/08/04 10:30:00]: NETWORK is online.
[02/08/04 10:35:00]: LOAD 0.76 (status good)
[02/08/04 10:35:00]: NETWORK is online.
[02/08/04 10:40:00]: LOAD 0.47 (status good)
[02/08/04 10:40:00]: NETWORK is online.
[02/08/04 10:45:00]: LOAD 0.38 (status good)
[02/08/04 10:45:00]: NETWORK is online.
[02/08/04 10:50:01]: LOAD 0.34 (status good)
[02/08/04 10:50:01]: NETWORK is online.
[02/08/04 10:55:58]: LOAD 72.52 (status critical)
[02/08/04 10:55:58]: NETWORK is online.
[02/08/04 11:01:11]: LOAD 127.00 (status critical)
[02/08/04 11:01:11]: NETWORK is online.
[02/08/04 11:06:22]: LOAD 139.37 (status critical)
[02/08/04 11:06:22]: NETWORK is online.

- System Log:
Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

"LOAD 139.37"

Someone help so I can prevent this from the future...

 

[hostultra]

Someone is doing a DOS attack against a site on your server.
In WHM goto Apache Status and look for any sites that has a huge amount of requests.

 

[K_aneda]

Apache Patch?

Surely there's a patch we could introduce that:

- Activates itself when the load goes over 10 or a user-defined value
- If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).

 

[mr.wonderful]

Install APF firewall and use the DOS module to drop connections that syn flood.

 

[K_aneda]

Suppose that's one possibility.
Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

I'm thinking any more than 50 a second should be dropped... any thoughts people?

 

[myusername]

possible SYN flooding on port 80. Sending cookies.

Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?

 

[anup123]

Try this apache module:

http://www.nuclearelephant.com/projects/dosevasive/

Anup

 

[K_aneda]

bump.

hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?

 

[Alexandre Duran]

Execute the command:

netstat -an |grep :80 | grep SYN_RECV | more

And block the ips in your firewall (APF i guess)