Possible SYN Flooding?!?!

avio

Well-Known Member
Oct 6, 2003
95
0
156
I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

- SIM Log:
[02/08/04 10:30:00]: NETWORK is online.
[02/08/04 10:35:00]: LOAD 0.76 (status good)
[02/08/04 10:35:00]: NETWORK is online.
[02/08/04 10:40:00]: LOAD 0.47 (status good)
[02/08/04 10:40:00]: NETWORK is online.
[02/08/04 10:45:00]: LOAD 0.38 (status good)
[02/08/04 10:45:00]: NETWORK is online.
[02/08/04 10:50:01]: LOAD 0.34 (status good)
[02/08/04 10:50:01]: NETWORK is online.
[02/08/04 10:55:58]: LOAD 72.52 (status critical)
[02/08/04 10:55:58]: NETWORK is online.
[02/08/04 11:01:11]: LOAD 127.00 (status critical)
[02/08/04 11:01:11]: NETWORK is online.
[02/08/04 11:06:22]: LOAD 139.37 (status critical)
[02/08/04 11:06:22]: NETWORK is online.

- System Log:
Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

"LOAD 139.37"

Someone help so I can prevent this from the future...
 

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
Someone is doing a DOS attack against a site on your server.
In WHM goto Apache Status and look for any sites that has a huge amount of requests.
 

K_aneda

Well-Known Member
Feb 29, 2004
56
0
156
Sydney, Australia
Apache Patch?

Surely there's a patch we could introduce that:

- Activates itself when the load goes over 10 or a user-defined value
- If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).
 

K_aneda

Well-Known Member
Feb 29, 2004
56
0
156
Sydney, Australia
Suppose that's one possibility.
Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

I'm thinking any more than 50 a second should be dropped... any thoughts people?
 

myusername

Well-Known Member
PartnerNOC
Mar 6, 2003
693
1
168
chown -R us.*yourbase*
cPanel Access Level
DataCenter Provider
Twitter
possible SYN flooding on port 80. Sending cookies.
Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?
 

K_aneda

Well-Known Member
Feb 29, 2004
56
0
156
Sydney, Australia
bump.

hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?