Possible SYN Flooding?!?!

avio · Feb 8, 2004

I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

- SIM Log:
[02/08/04 10:30:00]: NETWORK is online.
[02/08/04 10:35:00]: LOAD 0.76 (status good)
[02/08/04 10:35:00]: NETWORK is online.
[02/08/04 10:40:00]: LOAD 0.47 (status good)
[02/08/04 10:40:00]: NETWORK is online.
[02/08/04 10:45:00]: LOAD 0.38 (status good)
[02/08/04 10:45:00]: NETWORK is online.
[02/08/04 10:50:01]: LOAD 0.34 (status good)
[02/08/04 10:50:01]: NETWORK is online.
[02/08/04 10:55:58]: LOAD 72.52 (status critical)
[02/08/04 10:55:58]: NETWORK is online.
[02/08/04 11:01:11]: LOAD 127.00 (status critical)
[02/08/04 11:01:11]: NETWORK is online.
[02/08/04 11:06:22]: LOAD 139.37 (status critical)
[02/08/04 11:06:22]: NETWORK is online.

- System Log:
Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

"LOAD 139.37"

Someone help so I can prevent this from the future...

hostultra · Feb 8, 2004

Someone is doing a DOS attack against a site on your server.
In WHM goto Apache Status and look for any sites that has a huge amount of requests.

K_aneda · Feb 29, 2004

Apache Patch?

Surely there's a patch we could introduce that:

- Activates itself when the load goes over 10 or a user-defined value
- If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).

mr.wonderful · Feb 29, 2004

Install APF firewall and use the DOS module to drop connections that syn flood.

K_aneda · Feb 29, 2004

Suppose that's one possibility.
Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

I'm thinking any more than 50 a second should be dropped... any thoughts people?

myusername · Sep 29, 2004

possible SYN flooding on port 80. Sending cookies.
Click to expand...

Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?

anup123 · Sep 29, 2004

Try this apache module:

http://www.nuclearelephant.com/projects/dosevasive/

Anup

K_aneda · Sep 29, 2004

bump.

hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?

Alexandre Duran · Jan 10, 2005

Execute the command:

netstat -an |grep :80 | grep SYN_RECV | more

And block the ips in your firewall (APF i guess)

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible SYN Flooding?!?!

avio Well-Known Member

hostultra Well-Known Member

K_aneda Well-Known Member

mr.wonderful BANNED

K_aneda Well-Known Member

myusername Well-Known Member
PartnerNOC

anup123 Well-Known Member

K_aneda Well-Known Member

Alexandre Duran Well-Known Member

Possible to recreate the welcome email (email accounts)?

Is it possible for a rogue code to insert a cron job?

How can I rename package names in the safest possible way?

SOLVED PHP FPM - impossible to validate new configuration

Possible to install CSF via WHM GUI?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible SYN Flooding?!?!

avio Well-Known Member

hostultra Well-Known Member

K_aneda Well-Known Member

mr.wonderful BANNED

K_aneda Well-Known Member

myusername Well-Known Member PartnerNOC

anup123 Well-Known Member

K_aneda Well-Known Member

Alexandre Duran Well-Known Member

Possible to recreate the welcome email (email accounts)?

Is it possible for a rogue code to insert a cron job?

How can I rename package names in the safest possible way?

SOLVED PHP FPM - impossible to validate new configuration

Possible to install CSF via WHM GUI?

Share This Page

myusername Well-Known Member
PartnerNOC