The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible SYN Flooding?!?!

Discussion in 'General Discussion' started by avio, Feb 8, 2004.

  1. avio

    avio Well-Known Member

    Joined:
    Oct 6, 2003
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    156
    I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

    - SIM Log:
    [02/08/04 10:30:00]: NETWORK is online.
    [02/08/04 10:35:00]: LOAD 0.76 (status good)
    [02/08/04 10:35:00]: NETWORK is online.
    [02/08/04 10:40:00]: LOAD 0.47 (status good)
    [02/08/04 10:40:00]: NETWORK is online.
    [02/08/04 10:45:00]: LOAD 0.38 (status good)
    [02/08/04 10:45:00]: NETWORK is online.
    [02/08/04 10:50:01]: LOAD 0.34 (status good)
    [02/08/04 10:50:01]: NETWORK is online.
    [02/08/04 10:55:58]: LOAD 72.52 (status critical)
    [02/08/04 10:55:58]: NETWORK is online.
    [02/08/04 11:01:11]: LOAD 127.00 (status critical)
    [02/08/04 11:01:11]: NETWORK is online.
    [02/08/04 11:06:22]: LOAD 139.37 (status critical)
    [02/08/04 11:06:22]: NETWORK is online.

    - System Log:
    Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
    Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
    Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
    Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
    Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
    Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
    Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
    Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

    Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

    "LOAD 139.37"

    Someone help so I can prevent this from the future...
     
    #1 avio, Feb 8, 2004
  2. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    166
    Someone is doing a DOS attack against a site on your server.
    In WHM goto Apache Status and look for any sites that has a huge amount of requests.
     
    #2 hostultra, Feb 8, 2004
  3. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Sydney, Australia
    Apache Patch?

    Surely there's a patch we could introduce that:

    - Activates itself when the load goes over 10 or a user-defined value
    - If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

    That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).
     
    #3 K_aneda, Feb 29, 2004
  4. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    166
    Install APF firewall and use the DOS module to drop connections that syn flood.
     
    #4 mr.wonderful, Feb 29, 2004
  5. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Sydney, Australia
    Suppose that's one possibility.
    Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

    I'm thinking any more than 50 a second should be dropped... any thoughts people?
     
    #5 K_aneda, Feb 29, 2004
  6. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    692
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?
     
    #6 myusername, Sep 29, 2004
  7. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    168
    Location:
    This Planet
    #7 anup123, Sep 29, 2004
  8. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Sydney, Australia
    bump.

    hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?
     
    #8 K_aneda, Sep 29, 2004
  9. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    Rio de Janeiro - BRAZIL
    Execute the command:

    netstat -an |grep :80 | grep SYN_RECV | more

    And block the ips in your firewall (APF i guess)
     
    #9 Alexandre Duran, Jan 10, 2005
(You must log in or sign up to post here.)
Loading...
Similar Threads - Possible Flooding
  1. VMunich

    Is it possible to whitelist command/programs to be used by shell_exec?

    VMunich, Jul 3, 2017, in forum: Security
    Replies:
    4
    Views:
    80
    quizknows
    Jul 4, 2017
  2. Dave__W

    Global Wildcard Email Filter Possible?

    Dave__W, Jun 29, 2017, in forum: E-mail Discussions
    Replies:
    4
    Views:
    93
    Dave__W
    Jun 29, 2017
  3. Killy123

    Is it possible to add redirect to domain with cPanel API?

    Killy123, Jun 15, 2017, in forum: cPanel Developers
    Replies:
    4
    Views:
    127
    cPanelMichael
    Jul 20, 2017 at 10:21 AM
  4. Luca Sartori

    Use WHM as nameserver, risk and possible issue

    Luca Sartori, May 31, 2017, in forum: Bind / DNS / Nameserver Issues
    Replies:
    5
    Views:
    167
    cPanelMichael
    Jun 5, 2017
  5. Soeren E

    Possible to disable the mails boxtrapper sends?

    Soeren E, May 29, 2017, in forum: E-mail Discussions
    Replies:
    2
    Views:
    111
    cPanelMichael
    May 30, 2017

Share This Page