Possible SYN Flooding?!?!

avio · Feb 8, 2004

I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

- SIM Log:
[02/08/04 10:30:00]: NETWORK is online.
[02/08/04 10:35:00]: LOAD 0.76 (status good)
[02/08/04 10:35:00]: NETWORK is online.
[02/08/04 10:40:00]: LOAD 0.47 (status good)
[02/08/04 10:40:00]: NETWORK is online.
[02/08/04 10:45:00]: LOAD 0.38 (status good)
[02/08/04 10:45:00]: NETWORK is online.
[02/08/04 10:50:01]: LOAD 0.34 (status good)
[02/08/04 10:50:01]: NETWORK is online.
[02/08/04 10:55:58]: LOAD 72.52 (status critical)
[02/08/04 10:55:58]: NETWORK is online.
[02/08/04 11:01:11]: LOAD 127.00 (status critical)
[02/08/04 11:01:11]: NETWORK is online.
[02/08/04 11:06:22]: LOAD 139.37 (status critical)
[02/08/04 11:06:22]: NETWORK is online.

- System Log:
Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

"LOAD 139.37"

Someone help so I can prevent this from the future...

hostultra · Feb 8, 2004

Someone is doing a DOS attack against a site on your server.
In WHM goto Apache Status and look for any sites that has a huge amount of requests.

K_aneda · Feb 29, 2004

Apache Patch?

Surely there's a patch we could introduce that:

- Activates itself when the load goes over 10 or a user-defined value
- If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).

mr.wonderful · Feb 29, 2004

Install APF firewall and use the DOS module to drop connections that syn flood.

K_aneda · Feb 29, 2004

Suppose that's one possibility.
Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

I'm thinking any more than 50 a second should be dropped... any thoughts people?

myusername · Sep 29, 2004

possible SYN flooding on port 80. Sending cookies.
Click to expand...

Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?

anup123 · Sep 29, 2004

Try this apache module:

http://www.nuclearelephant.com/projects/dosevasive/

Anup

K_aneda · Sep 29, 2004

bump.

hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?

Alexandre Duran · Jan 10, 2005

Execute the command:

netstat -an |grep :80 | grep SYN_RECV | more

And block the ips in your firewall (APF i guess)

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible SYN Flooding?!?!

avio Well-Known Member

hostultra Well-Known Member

K_aneda Well-Known Member

mr.wonderful BANNED

K_aneda Well-Known Member

myusername Well-Known Member
PartnerNOC

anup123 Well-Known Member

K_aneda Well-Known Member

Alexandre Duran Well-Known Member

Is it possible for a rogue code to insert a cron job?

How can I rename package names in the safest possible way?

SOLVED PHP FPM - impossible to validate new configuration

Possible to install CSF via WHM GUI?

Is it possible to install cPanel 68?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible SYN Flooding?!?!

avio Well-Known Member

hostultra Well-Known Member

K_aneda Well-Known Member

mr.wonderful BANNED

K_aneda Well-Known Member

myusername Well-Known Member PartnerNOC

anup123 Well-Known Member

K_aneda Well-Known Member

Alexandre Duran Well-Known Member

Is it possible for a rogue code to insert a cron job?

How can I rename package names in the safest possible way?

SOLVED PHP FPM - impossible to validate new configuration

Possible to install CSF via WHM GUI?

Is it possible to install cPanel 68?

Share This Page

myusername Well-Known Member
PartnerNOC