The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible SYN Flooding?!?!

Discussion in 'General Discussion' started by avio, Feb 8, 2004.

  1. avio

    avio Well-Known Member

    Joined:
    Oct 6, 2003
    Messages:
    95
    Likes Received:
    0
    Trophy Points:
    6
    I tried to access my website a couple of minutes ago... and it didn't work, so Im like wtf?! I get an email from my SIM Monitor on the server..

    - SIM Log:
    [02/08/04 10:30:00]: NETWORK is online.
    [02/08/04 10:35:00]: LOAD 0.76 (status good)
    [02/08/04 10:35:00]: NETWORK is online.
    [02/08/04 10:40:00]: LOAD 0.47 (status good)
    [02/08/04 10:40:00]: NETWORK is online.
    [02/08/04 10:45:00]: LOAD 0.38 (status good)
    [02/08/04 10:45:00]: NETWORK is online.
    [02/08/04 10:50:01]: LOAD 0.34 (status good)
    [02/08/04 10:50:01]: NETWORK is online.
    [02/08/04 10:55:58]: LOAD 72.52 (status critical)
    [02/08/04 10:55:58]: NETWORK is online.
    [02/08/04 11:01:11]: LOAD 127.00 (status critical)
    [02/08/04 11:01:11]: NETWORK is online.
    [02/08/04 11:06:22]: LOAD 139.37 (status critical)
    [02/08/04 11:06:22]: NETWORK is online.

    - System Log:
    Feb 8 11:03:56 server1 named[27957]: lame server resolving '56.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:04:36 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:04:41 server1 named[27957]: lame server resolving '58.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:05:07 server1 kernel: application bug: whostmgrd(32751) has SIGCHLD set to SIG_IGN but calls wait().
    Feb 8 11:05:11 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53
    Feb 8 11:05:41 server1 kernel: (see the NOTES section of 'man 2 wait'). Workaround activated.
    Feb 8 11:05:46 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
    Feb 8 11:05:56 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:06:00 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.32#53
    Feb 8 11:06:21 server1 named[27957]: lame server resolving '54.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:06:31 server1 named[27957]: lame server resolving '55.154.230.216.in-addr.arpa' (in '154.230.216.in-addr.arpa'?): 216.230.128.34#53
    Feb 8 11:06:39 server1 kernel: possible SYN flooding on port 80. Sending cookies.
    Feb 8 11:06:41 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.39#53
    Feb 8 11:06:55 server1 named[27957]: lame server resolving '112.18.87.200.in-addr.arpa' (in '18.87.200.in-addr.arpa'?): 200.87.100.10#53
    Feb 8 11:07:06 server1 named[27957]: lame server resolving '90.41.30.208.in-addr.arpa' (in '41.30.208.in-addr.arpa'?): 63.171.232.38#53

    Now what the hell is this?? I cannot login, I requested that my Datacenter reboot, but what can I do to prevent this? You can see my server load has gone above above above normal...

    "LOAD 139.37"

    Someone help so I can prevent this from the future...
     
  2. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    Someone is doing a DOS attack against a site on your server.
    In WHM goto Apache Status and look for any sites that has a huge amount of requests.
     
  3. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Apache Patch?

    Surely there's a patch we could introduce that:

    - Activates itself when the load goes over 10 or a user-defined value
    - If a IP is requesting more than x amount of requests per y seconds/minutes, ignore that IP for z seconds

    That would allow most users to configure it for when things start going bad - I've been hit by DoS attacks.. 175+ childs of apache spawned, not a pretty sight. (was 20 before the attack).
     
  4. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Install APF firewall and use the DOS module to drop connections that syn flood.
     
  5. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    Suppose that's one possibility.
    Other one is thinking of limiting incoming SYNs in iptables... only question is how many is a number to stop at?

    I'm thinking any more than 50 a second should be dropped... any thoughts people?
     
  6. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Is this line often seen in SYN floods on a default cPanel install or is this something custom compiled in the kernel?
     
  7. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
  8. K_aneda

    K_aneda Well-Known Member

    Joined:
    Feb 29, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sydney, Australia
    bump.

    hmm dos_evasive is seen on quite a few posts already on these forums. Generally consensus being that it doesn't help much against most attacks, only mainly against major flooding... has anyone seen it impact users in a major or minor way however?
     
  9. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    Execute the command:

    netstat -an |grep :80 | grep SYN_RECV | more

    And block the ips in your firewall (APF i guess)
     
Loading...

Share This Page